6

Apologies if my question is unclear, but I'm not quite up with the jargon. By 'resource directories' I mean my css, php scripts, images, javascript ect.

I used an .htaccess file in my images directory that contained

deny from all

to do this. Though this prevented people from typing "www.example.com/images" into their browser and accessing my images directory, the images stopped appearing on my website.

I assume this is because the .htaccess file is even denying my source code from accessing the images. How can I let my source code access directories? I also have a cron job running a php script every night. The cron job also needs to be allowed to access the scripts directory.

Also, is using .htaccess files even the best way to secure a site?

Starkers
  • 10,273
  • 21
  • 95
  • 158
  • 1
    If you reference your images in your HTML code with `/images/something.png` then the user must have access to it to display it. – cheesemacfly Mar 12 '13 at 19:54

2 Answers2

13

To prevent someone to view your images directory, you need to disallow Directory Listing. http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/

You cannot use deny from all, because nothing can be loaded from that directory from a web browser, so your images which you load with on your website won't load either.

Options -Indexes will disallow people to list files in your images directory. Please see http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/

For securing data from being viewed by people who shouldn't you can use a authentication. You can setup a login field with htaccess, or script one with, for example PHP or python.

Login script with htaccess: Script: http://www.htaccesstools.com/htpasswd-generator/ Password file: http://www.htaccesstools.com/htaccess-authentication/

ivodvb
  • 1,164
  • 2
  • 12
  • 39
  • Thanks, Options -Indexes is good for stopping people from entering directories. However, they can still access files if they know the path, which I want to prevent them doing. Is there anyway to achieve this without using the login script? I mean, it's only the source code that is accessing the files, not a group of users. How would this work with a cron job? – Starkers Mar 12 '13 at 20:11
  • There is no way to prevent direct access to the files, because direct access is needed to even show the image.. Do you want to prevent hotlinking? Because that's possible.. Please see http://altlab.com/htaccess_tutorial.html and for a generator: http://www.htaccesstools.com/hotlink-protection/ – ivodvb Mar 12 '13 at 20:12
0

You can prevent from accessing any directory you want:

Add this snippet in your httpd.conf file (you can find httpd.conf file here C:\wamp\bin\apache\apache2.4.9\bin)

<Directory "c:/wamp/www/directory_A/">
    Options -Indexes
</Directory>

In this case you can access www directory but can't inside directory_A. or

<Directory "c:/wamp/www/directory_A/uploads/">
    Options -Indexes
</Directory>

In this case you can access 'directory_A/' directory but can't inside 'uploads/'.

sujit22993
  • 1