Magento SKIN and VAR Folder Permission

Question

My site is based on magento and i want to know how can i stop someone to access my server through URL BAR like this:

www.mydomain.com/skin/

if someone types this on URL bar it open up my server files etc which is not secure the file permission for this SKIN folder is 755 in my cpanel.

The other folder is VAR folder for this the file permission is also 755 but we cannot access this through URL BAR like this www.mydomain.com/VAR/

as it gives this Forbidden

You don't have permission to access /var on this server.

I want this same for my SKIN Folder too but when i change permission of SKIN folder to 644 my site css files do not load and site comes up all messed up but if i make it 755 site is super fine but directory is accessible through URL bar .

How can i keep 755 permission to SKIN folder but it should not be accessible through URL Bar.

Use .htaccess http://stackoverflow.com/questions/4610524/htaccess-to-restrict-access-to-folder — hounded, Aug 11 '15 at 19:32

score 1 · Answer 1 · edited May 23 '17 at 12:22

1

You should not turn off access to /skin. If you do your site will not render any of its frontend content. You can, however, turn off directory indexing if you're trying to keep people from seeing what's in the directories. See How do I disable directory browsing?.

Note, however, that if you are trying to hide something from people browsing your site the /skin directory is the wrong place to put it.

edited May 23 '17 at 12:22

Community

1
1

answered Aug 11 '15 at 21:30

Kevin Schroeder

1,296
11
23

This site is also based in magento https://www.transfashions.com and see here his skin folder is not accessible and site is rendering fine. https://www.transfashions.com/skin/ – Usman Khan Aug 12 '15 at 20:20
That's because they are doing exactly what I noted above :-). The /skin directory is accessible; there are /skin contents on the page to test this against. However, they disabled directory browsing, as noted in my answer, which gives the 403 when looking at the directory. Another thing they do is use CSS/JS concatenation which puts the CSS/JS in the writable /media directory instead of /skin. But /skin is still accessible, but not browsable. – Kevin Schroeder Aug 12 '15 at 22:59

score 1 · Answer 2 · answered Aug 25 '18 at 12:10

Your .htaccess file rewrite rule is not working.

I had same issue and i fixed below way.

If your Apache version > 2.2 then

Open .htaccess and find around RewriteEngine on

          Options +FollowSymLinks

and replace with

            Options +FollowSymLinks -Indexes

score -1 · Answer 3 · answered Aug 11 '15 at 19:37

-1

One Relative solution is create one index.html file in your skin folder. Now your skin folder won't be directly accessible.

We can also prevent directory listing with .htaccess like var folder. But if you will do with .htaccess then your skin files won't be accessible.So better option is create one index.html file or index.php file with appropriate error message.

Hope it helps :)

answered Aug 11 '15 at 19:37

Troubleshooter

91
1
8

This site is also based in magento https://www.transfashions.com and see here his skin folder is not accessible and site is rendering fine. https://www.transfashions.com/skin/ – Usman Khan Aug 12 '15 at 20:21
They might have kept index.php with this message. – Troubleshooter Aug 13 '15 at 08:23
what is drawback to put index.php or index.html in skin folder ? it wont allow to show directory content – Troubleshooter Aug 13 '15 at 08:23

Magento SKIN and VAR Folder Permission

3 Answers3