tags:

views:

32

answers:

2
+1  Q: 

Securing one particular file on the server; .htaccess good way of doing it?

I have a classifieds website.

I as an administrator need to be able to remove classifieds as I wish... So I have created a very simple remove function which only requires the name of the classified.

I plan on placing it on the server ONLY when I need to remove classifieds, so it wont be there unless I upload it and plan on using it. Then remove it when I am done.

I also plan on using htaccess to password protect it.

Is this a good plan?

And is it possible to only password protect one file on the server with htaccess? If so, how?

Thanks...

+2  A: 

You need to create a sub-directory called /admin or /remove, I don't think you can use it secure a single file. You shouldn't need to add and remove the file when you need to, that seems like a recipe for screwing up your authorization scheme (accidentally deleting .htaccess etc).

If you choose a strong password and good username (not admin or administrator), you should be just fine.

Byron Whitlock  2010-08-15 15:13:52
+2  A: 

You've got two choices: <Location> or <Directory> in the server config (they can't be placed in .htaccess), or a .htaccess file

<Location /admin>
   Order Deny,Allow
   Deny from All
   Allow from your.ip.addr.ess
   AuthType Basic
   AuthName "Admin page. Keep out"
   AuthUserFile /some/path/htpasswd
   AuthGroupFile /dev/null
   Require valid-user
</Location>

Location allows you to restrict by URL, which will match regardless of where the files are physically stored on the server, but also can be bypassed if you allow symlinks to be followed. Directory works the same way, but matches by physical server-side path, regardless of how the directory/file is accessed. With Location, you can specify an absolute path, including a file, to match on, if you want to restrict just the one file.

With .htaccess, you're essentially duplicating the Directory directives, but can do so without having to bounce the server to load the new configuration, at the cost of the .htaccess having to be parsed for every request.

It's best to not rely on password protection alone to secure administrative scripts, so I've added the IP address (Order/Deny/Allow directives) filter as well. Better security yet is to place the admin scripts on a completely seperate domain (even if it's still hosted on the same physical server) so someone poking at random URLs on the main site won't find the adminstrative section.

Marc B  2010-08-15 15:51:18
+1 for ip address blocking and clear example.
Byron Whitlock  2010-08-15 17:58:11

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?