jump to navigation

Protecting Files on your Appache Server with “.htaccess” October 16, 2011

Posted by Tournas Dimitrios in Uncategorized.

So you have finished your website and uploaded all files to your hosting server’s public directory . By default Appache serves the “index.html or index.php ”  file if no file is defined in the url . Pointing your browser to ” http://yourdomain.com” will return the index-file (usually the home page ) . If no index.[html | php]  is available ,  the the server will list all files and directories  on the root directory . A hacker could map the directory structure of your website by simply display the source code ( html-code) of a website and then try to  display the content of plain text files (txt , js , ini , xml … ) .

Providing access to the content of all plain text files on our server to the public is a HUGE security risk , so we have to restrict access to these files . A developer could of course create empty index.[html | php ] files into each directory and prevent directory-listing  , but a simpler method is to define a directive into  ” .htaccess” file .

 Open .htaccess  and paste the following directive :

Options  -Indexes
<FileMatch  "\.(sqlite|xml|ini|txt|csv| js )$">
Deny from all

The first directive ( Options -Indexes )  restricts directory listing while the second directive restricts access to all files that have these specific extension ( sqlite  , xml , ini , txt , csv , js ). Be very carefull what restrictions you define , for example , including the “js” in the list may impact the functionality of some  JQuery plugins .  After each change into the .thaccess  file do an extensive test ……


No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s