2

When I browse to my website and I do inspect element in google chrome, by selecting sources tab I can get list of all folders of my website. Infact, I get their original name and I can download whole website code.

I just want to hide true folder name as people can use that folder name to browse internal website

How can I prevent this? I have already listed Options -Indexes in .htaccess file.

I am working on Joomla and using Amazon EC2 Ubuntu Server so I have full control over server.

Edit: Thanks to Pt. Raman Sharma and LaughingQuoll. I don't really want to hide css or js. I just want to hide true folder name as people can use that folder name to browse internal website

Edit: My .htaccess file:

IndexIgnore *
Options +FollowSymlinks
Options -Indexes
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F]
RewriteBase /
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{REQUEST_URI} !^/index\.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
Himanshu Shankar
  • 735
  • 1
  • 6
  • 24
  • This sounds like there is a miss conception here: you certainly do not have any means to somehow hide the code from users who need the code, obviously since without the code they cannot see/user your offer. Think of it this way: you publish something. You cannot on the one hand publish something and on the other hand not allow people to look at it. _However_: there is absolutely no reason why the URLs you hand out should reflect your internal file structure, in contrary. The URLs you publish should _not_ make your file system accessible. That is what routers/controllers are for. – arkascha Dec 04 '15 at 10:35
  • That's what exactly I want to do. I want to prevent "real folders" name from being reflected and hide my original internal file structure @arkascha – Himanshu Shankar Dec 04 '15 at 10:37
  • Then do it. Your application should use a router to map request paths to actual resources. And you should take a look at URL rewriting. – arkascha Dec 04 '15 at 10:39
  • I am already using URL rewriting. And it works perfectly. But if I take a look at Sources (in chrome by using INSPECT), it lists original folders name where css and js files are present! @arkascha – Himanshu Shankar Dec 04 '15 at 10:40
  • You want to think again about that last statement you made... It is you how setup the rewriting rules. You can change them. _Do it_. – arkascha Dec 04 '15 at 10:41
  • I checked setting. I am using Joomla and I have enabled URL Rewriting from there. And in URL I don't get original folder name when I browse. @arkascha – Himanshu Shankar Dec 04 '15 at 10:46
  • I have added my htaccess file to post! @arkascha – Himanshu Shankar Dec 04 '15 at 11:03

3 Answers3

2

It should only display your css html and JS. These are front end platforms. Your backend like PHP and MYSQL are still hidden. So don't worry about these front end visibility.

Pt. Raman Sharma
  • 309
  • 1
  • 4
  • 15
  • But still I looked at some other websites. They generated some random folder name. I just want to hide true folder name as people can use that folder name to browse internal website – Himanshu Shankar Dec 04 '15 at 10:33
  • Then in Joomla, create robot.txt and disallow robots to check your directories. Check this for more details on robot.txt in joomla https://docs.joomla.org/Robots.txt_file – Pt. Raman Sharma Dec 04 '15 at 10:39
2

CSS and JS links cannot be hidden. Basically because they are used to display the page and anyone can just root back to the file origin (that is what Google chrome does). So in no way could it be hidden. Besides if you do CRT + S you can save the webpage CSS and the JS.

  • But still I looked at some other websites. They generated some random folder name. I just want to hide true folder name as people can use that folder name to browse internal website – Himanshu Shankar Dec 04 '15 at 10:34
  • @iamhssingh then simply generate a random 8 character string. Create a folder with that name in your root directory and place the CSS and JS in that folder. That way they only see http://example.com/sJsdhYhd/CSS.css –  Dec 04 '15 at 10:39
  • I can't move all css and js in that manner. They are as per Joomla! – Himanshu Shankar Dec 04 '15 at 11:04
2

I hope I've understood your question correctly, if so, there isn't an easy answer on what you're asking. In this question they explain how to hide the developers tools this should be a good starting point for your goal:

Just to be clear: trying to block hackers client-side is a bad idea in general; this is to protect against a specific social engineering attack.

If you ended up in the test group and are annoyed by this, sorry. I tried to make the opt-out page as simple as possible while still being scary enough to stop at least some of the victims.

The actual code is pretty similar to @joeldixon66's link; ours is a little more complicated for no good reason.

Chrome wraps all console code in

with ((console && console._commandLineAPI) || {}) {
  <code goes here>
}

... so the site redefines console._commandLineAPI to throw:

Object.defineProperty(console, '_commandLineAPI',
   { get : function() { throw 'Nooo!' } })

This is not quite enough (try it!), but that's the main trick.

Community
  • 1
  • 1
IlGala
  • 3,331
  • 4
  • 35
  • 49
  • Thanks @iamhssingh if this or any answer has solved your question please consider [accepting it](http://meta.stackexchange.com/q/5234/179419) by clicking the check-mark. This indicates to the wider community that you've found a solution and gives some reputation to both the answerer and yourself. There is no obligation to do this. – IlGala Dec 04 '15 at 10:49
  • 1
    I read the post but that is not the solution. It is useful so I will upvote it. – Himanshu Shankar Dec 04 '15 at 10:51