Files on server security

serecarteren · October 5, 2010, 5:07pm

Hi,
This has been bothering me for a while, How to stop the ability to access files on the public HTML eg: url/images, url/assets, url.css . Hope I am explaining ok, do not want visitors to enter url followed by either /images, /assets , /css and view these complete files.

wwb_99 · October 8, 2010, 5:41pm

Well, you didn’t say all that now . . .

Karl · October 8, 2010, 6:02pm

Well it didn’t sound like the OP was running their own server

Karl · October 8, 2010, 1:03pm

Hi,

My 1st method will work for all web servers, the 2nd method should (depends on your host) work if you’ve got Apache based hosting.

Thanks,

serecarteren · October 7, 2010, 6:48pm

Hi guys,
Thanks for your help, i want to be able to lock out the the folders housing my assets, images, css, js, menu and any other folder used to store files or documents, and only allowing access via a link for a particular image and not have the situation where they can input url\image and view the complete folder. ‘Trying hard to explain properly’ . eg link to url\image\photo1.jpg is ok but url\image to view the complete contents of the folder is not ok.

serecarteren · October 10, 2010, 5:42pm

The webhost i use, runs a Linux server

wwb_99 · October 7, 2010, 8:38pm

Ok, you want to turn off directory browsing. Not sure what you are running on and how to fix . . .

rpkamp · October 5, 2010, 10:54pm

But you want people to see/use those files on your website right?
If so, you need to check the HTTP_REFERER in a .htaccess file and deny access if the referrer is not your website.
A tutorial is here: http://altlab.com/htaccess_tutorial.html

Note: since HTTP_REFERER can be spoofed by users this method is not 100% foolproof, but it’ll work in the majority of cases.

wwb_99 · October 8, 2010, 4:38pm

^^^Not exactly. Wouldn’t work on IIS out of the box as index.html isn’t in the default documents list. Ok, it might be there on 7 or 7.5, haven’t looked yet . . .

Karl · October 8, 2010, 5:40pm

Not out of the box no, but I’d wager 90%+ of hosts using IIS have it in there to prevent support tickets asking why it doesn’t work

Karl · October 7, 2010, 2:46pm

Hi,

Do you mean you don’t want them to be able to directly link to the files? Or that you don’t want them to see a list of them when they go to /images for example?

If the latter then there are two options:

Create an empty index.html in the directory

or

If you’re running Apache, create a .htaccess file in the folder (or even in the root of your website to apply to all sub folders) with the following in it:

Options -Indexes

Thanks,