How to prevent to access this folder in url

jemz · November 8, 2014, 3:55am

Hi, I need some help please is it possible not to access my subdirectories in the url

parent folder ->project/web

under web folder I have sub folders like js folder,fonts folder and etc…,Is it possible not to access this in the url I don’t want the user to guess my subfolder like this /project/web/fonts.

Thank you in advance.

metho · November 8, 2014, 6:04am

.htaccess

Options -Indexes

dklynn · November 14, 2014, 10:03pm

jemz,

Options -Indexes will only prevent Apache from displaying the folder’s contents (if a file is not found - an easy way for hackers to learn about your server is to request a file which is not there, e.g., abc.xyz).

To not process requests made to a directory, though, depends upon what’s in the directory and how it’s accessed. http requests can be rejected by moving the folder above the DocumentRoot but that would mean it cannot be accessed by your files, too (they would have to be “include()-ed” within your scripts).

The best way (and this would NOT be sufficient) would be to use .htaccess in the subdirectory to examine the {HTTP_REFERER} (notoriously unreliable because it’s easily spoofed) to prevent access except from your own website.

Generally speaking, what’s online to be displayed can be seen by any visitor. Encrypting a website is a fools errand (IMHO) so my advice is to only be paranoid about files that contain “sensitive” information (MySQL logins, passwords and the like) and handle those by relocating them outside your webspace.

Regards,

DK

metho · November 15, 2014, 5:39am

Quite incorrect. Not only prevents apache listing contents, but also in the event that a blank default document is not present a 403 error is sent else a blank page will display. It will also stop search engines from indexing the contents of your site folders.

@jemz: if users want the path to your font files or other resources, it’s far easier to inspect the html source than making guesses.

DinoTheDinosaur · November 16, 2014, 1:51am

If you have something really sensitive, consider creating a directory outside of your webroot.

AFAIK, the only way someone can access items in a directory outside of the webroot is if they gain access to your server, otherwise they cannot access it via any HTTP request.

system · February 15, 2015, 9:05am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.