1

I have got a contact form on my website with file attachment as well, that has been restricted only to pictures. Although if I type in example.com/uploads/ all the files are accessible by anyone. Is htaccess the best way to hide it? Also how could I do that in a safe manner, without messing up the contact form?

I have tried this, but it blocks the whole website

deny from all
<Files ~ “^w+.(gif|jpe?g|png)$”>
order deny,allow
allow from all
</Files>
MrWhite
  • 43,179
  • 8
  • 60
  • 84
Sugafree
  • 631
  • 2
  • 14
  • 30
  • 1
    What do you do with these pictures after upload? If they are being displayed on a webpage, they will need to be publicly available. – gregnr Mar 21 '15 at 23:55
  • 1
    No, it should only be accessible through ftp to the owner of the website – Sugafree Mar 22 '15 at 00:06

2 Answers2

0

if I type in example.com/uploads/ all the files are accessible

You mean you get a directory listing? This can be disabled in .htaccess:

Options -Indexes

To actively block all HTTP requests for files in the /uploads directory (since you state in comments that these are only ever accessed over FTP) then all you need is (in your root .htaccess file):

RewriteEngine On
RewriteRule ^uploads - [F]

This will respond with a 403 Forbidden for all requests that start /uploads.

MrWhite
  • 43,179
  • 8
  • 60
  • 84
  • I have tried this one as well but, it does not do anything. I placed the htaccess in the root folder. – Sugafree Mar 22 '15 at 10:06
  • This would need to go towards the start of your .htaccess file, before other mod_rewrite directives - to avoid any conflict. (Also, this won't work if you have already put a .htaccess file - with mod_rewrite directives - in the `/uploads` folder itself (as in the other answer), unless you also have `RewriteOptions inherit` set in that .htaccess file.) – MrWhite Mar 22 '15 at 11:59
0

Just to block access to example.com/uploads/ you can place this rule in /uploads/.htaccess:

RewriteEngine On
RewriteRule ^/?$ - [F]
anubhava
  • 761,203
  • 64
  • 569
  • 643
  • This one actually does the job, but how easy would it be to rewrite my htaccess file? Can i block that to be rewritten as it is in the upload folder and not hard to find. – Sugafree Mar 22 '15 at 10:07
  • No one can overwrite your .htaccess unless you have some code level vulnerability. By default Apache blocks any web request to `.htaccess` – anubhava Mar 22 '15 at 10:12
  • Also if it worked out, you may mark the answer as accepted by clicking on tick mark on top-left of my answer. – anubhava Mar 22 '15 at 10:27