tags:

views:

82

answers:

2
+1  Q: 

Fully securing a directory

What are the different approaches to securing a directory?

including an index page so contents can't be viewed

the problem with this is that people can still access the files if they know the filename they're after

including an htaccess file to deny all

this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?

restricting folder access

this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.

Are there any other ways that folder security can be done?

+2  A: 

Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.

Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:

/application/index.php?module=listItems&username=ted

The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.

If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :

/application/images/image5.png

Grouchal  2009-06-20 06:20:07
I also think that securing a directory with htaccess is by far the easiest and simplest way to do it. What I'm concerned about is is there a way for htaccess to "not work"? Would there be any hosting environments that disables htaccess? (I think IIS doesn't use htaccess, so please assume that all of this would be working on Apache)
Nikko  2009-06-20 06:41:17
You right I can't definitely say that someone might go out of their way to disable htaccess - but think that it would be very unlikely.
Grouchal  2009-06-20 09:00:10
In you average, day-to-day shared hosting account, htaccess usually works, right?
Nikko  2009-06-22 06:49:17
A: 

You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.

nairdaen  2009-06-20 06:50:04
I also thought about using this process, but I want my app to be as idiot proof as possible, mostly just upload + install via web-installer. If all else fails, this would be the way to go for my app.
Nikko  2009-06-20 07:36:23

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP