Using .htaccess, prevent users from accessing resource directories, and yet allow the sourcecode access resources

php .htaccess security
16,440

To prevent someone to view your images directory, you need to disallow Directory Listing. http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/

You cannot use deny from all, because nothing can be loaded from that directory from a web browser, so your images which you load with on your website won't load either.

Options -Indexes will disallow people to list files in your images directory. Please see http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/

For securing data from being viewed by people who shouldn't you can use a authentication. You can setup a login field with htaccess, or script one with, for example PHP or python.

Login script with htaccess: Script: http://www.htaccesstools.com/htpasswd-generator/ Password file: http://www.htaccesstools.com/htaccess-authentication/

Share:
16,440
Starkers
Author by

Starkers

Updated on July 04, 2022

Comments

  • Starkers
    Starkers almost 2 years

    Apologies if my question is unclear, but I'm not quite up with the jargon. By 'resource directories' I mean my css, php scripts, images, javascript ect.

    I used an .htaccess file in my images directory that contained

    deny from all

    to do this. Though this prevented people from typing "www.example.com/images" into their browser and accessing my images directory, the images stopped appearing on my website.

    I assume this is because the .htaccess file is even denying my source code from accessing the images. How can I let my source code access directories? I also have a cron job running a php script every night. The cron job also needs to be allowed to access the scripts directory.

    Also, is using .htaccess files even the best way to secure a site?

  • Starkers
    Starkers about 11 years
    Thanks, Options -Indexes is good for stopping people from entering directories. However, they can still access files if they know the path, which I want to prevent them doing. Is there anyway to achieve this without using the login script? I mean, it's only the source code that is accessing the files, not a group of users. How would this work with a cron job?
  • ivodvb
    ivodvb about 11 years
    There is no way to prevent direct access to the files, because direct access is needed to even show the image.. Do you want to prevent hotlinking? Because that's possible.. Please see altlab.com/htaccess_tutorial.html and for a generator: htaccesstools.com/hotlink-protection

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to prevent PHP files from being downloaded? And what are some ways someone can download them?
How to run php script in png/jpg extension
.htaccess deny all, including the htaccess file and display 404 - how do I do it?
Hide Database Login Information in PHP Code
.htaccess deny access to specific files? more than one
Using PHP/Apache to restrict access to static files (html, css, img, etc)
How to Block 100,000+ Individual IP addresses
Deny access multiple .php files with .htaccess?
Separate CodeIgniter public folder
php not redirecting and logging in