Trying to deny to direct access to a json file, tried:
RewriteRule ^(api/|category\.json) - [F,L,NC]
but not working.
I used this file for an ajax call but i don't want anyone can access to this file directly.
$.ajax({
type: "POST",
dataType: 'json',
url: 'api/category.json',
success: function(data){
$.each(data, function(i,v) {
// do something
});
Wondering is there any method to do this? via htaccess or httpd.conf or etc?
AFAIK, if you can access the file with an HTTP GET command, which you'd have to do with the Ajax call, then you can also access the file and download it directly.
Sorry.
However, you can at least configure the Apache server to not allow direct indexing of that directory. Search for the "Options" directive in the httpd.conf file, and if it has an "Indexes" tag, either remove it or prepend a minus sign, e.g.,
Options -Indexes
That way, at least people won't know the file is there just by remotely perusing the directories.
You can "minimize" your Javascript file (the one containing your Ajax call) by removing all comments and whitespace. Search the web for tools that do this. Because, if somebody can read your Javascript, they can see exactly that your Ajax is fetching "api/category.json"; then of course they can too.
They still can read the "minimized" script anyway, plus there are tools to "de-minimize" it, but it may be enough trouble so that most people won't bother.
I'd suggest you try to avoid putting any really deep dark secrets in that file, because, bottom line, if your Ajax can fetch it, so can anybody else.
Related
I know .htaccess is not the best way to do this, but I don't have access to other server settings.
- index.php (root)
-- scripts (folder)
--- someScript.php (one of the scripts)
So let's say I have an index.php file that lives at the root of the server, that file makes ajax requests to a script in a folder scripts, If a user types in the search bar domain.com/scripts/ he now has access to that folder (I don't know if they can be downloaded from there or not).
I know I can use options -Indexes but this still allows users to go directly to a script if they now the name of it, which is not hard to find or even guess?
The second option I know about is
<Files ~ "\.txt$">
Order allow,deny
Deny from all
</Files>
But this stops everything from accessing the file, even the ajax requests.
So, my question is, should I protect these files somehow ? Can the user see their content or download them, are there security risks ?
should I protect these files somehow?
Well, you can't really, not if they are to be requested by the client (browser AJAX request).
It's usual to send a custom HTTP request header when calling a script via AJAX (client-side), so the script knows how to respond to such requests and return the appropriate response. Whilst this provides no "security", it does prevent casual requests to that script from doing anything.
Can the user see their content or download them, are there security risks ?
The example you gave is of a PHP script. Any direct request will only see its output, not necessarily its contents.
The only security risks are what you make. If an arbitrary request to that script returns a list of all active users and personal information then yes, that's obviously a security risk. But if the response is empty and no harmful event happens as a result of calling that script then it's a non-issue.
I am able to reach my website at a certain ip address and I am going to implement a REST service. I have some PHP files that perform actions on a database and I am calling them from the client. I am using linux ubuntu as server and so far I can do this:
http://xxx.xxx.xxx.xxx/api/create/?id=someId&val=someValue
http://xxx.xxx.xxx.xxx/api/delete/?id=someId
I can do the above because inside /var/www/html I have a folder called api that contains another folder called create. The create cointains the file index.php so that I can omit it and execute the URL you can see above.
This works fine but I don't think this is the proper way to do it. I am new with this so I don't know what to do. After some researches I have found that my goal probably be achieved using an .htaccess file use url rewriting but I am not sure.
How can I do this? Do I have to place all the php files in a single folder and then use an htaccess file? (^)
(^) To be more precise: instead of having this
http://xxx.xxx.xxx.xxx/api/create/index.php?id=someId&val=someValue
http://xxx.xxx.xxx.xxx/api/delete/index.php?id=someId
//and so on with other actions...
Do I have to create a folder like
http://xxx.xxx.xxx.xxx/files/
containing all my php files (create.php, delete.php, view.php...) and the use an htaccess to redirect?
I see that websites offer their api using www.domain.com/api/something/?data=Value or www.domain.com/api/something/dataAbout/. Are they doing what I have said about the .htaccess? I hope I have well explained my problem.
htaccess:
RewriteEngine On
RewriteRule ^api/([\w-]+)/?$ files/$1.php [L,NC]
This is inside /var/www/html and I have api inside /home/username/api .
Thanks Emma
Do it like this:
Create php files in a folder files/ subdirectory as create.php, delete.php, view.php etc (by renaming each individual index.php file, you mentioned).
Move away api directory somewhere outside site root.
Once that is done use following .htaccess file in /var/www/html/:
RewriteEngine On
RewriteRule ^api/([\w-]+)/?$ files/$1.php [L,NC]
Then use new URLs as:
http://xxx.xxx.xxx.xxx/api/create?id=someId&val=someValue
http://xxx.xxx.xxx.xxx/api/delete?id=someId
In first, this is not the right way to create a RESTFUL API. My suggestion is to you read a best practices article.
You shouldn't create a CREATE and DELETE folder. You should use HTTP actions.
To create a new record you should use POST. In example, POST /user and in the body you pass the user's information.
In another example, you could use the same route by using different HTTP methods: DELETE /user/1 to delete a user and PATCH /user/1 to edit some already existent user's information.
Hope it's help you.
I hope I didn't miss any question related to this while scanning the website. So I am completing a small project written in PHP. My core files are in a single directory (includes) where I want to prevent directory listing and user access. Deny from all rule in HTACCESS file (placed in root of concerned directory) works for disabling the direct access but my forms also don't work when I add an HTACCESS file with this code.
Please note that I have some files. Some of these files process the data received via $_POST and $_GET so I want to allow internal server requests on files in protected directories. How can I get these results? Please help.
This link might help you:
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html
To quote from the top of the page:
In general, access restriction directives apply to all access methods (GET, PUT, POST, etc). This is the desired behavior in most cases. However, it is possible to restrict some methods, while leaving other methods unrestricted, by enclosing the directives in a section.
So basically the final answer that will help you is found here:
http://httpd.apache.org/docs/2.2/mod/core.html#limit
Hope this helps.
I have several audio files that I don't want to allow anyone else to gain access to them. Each file is in a separate folder inside a main folder, that I'll call "download" for now. So "download" has several other directories, and inside each directory are audio files. Those audio files are played with in a web app on the system.
The problem is that right now anyone can type in the full address of the file localhost/download/dir/sound.wav and play the audio file. This is what I want to prevent from happening, I want those files to only stream when they are access or streamed from our application.
I tried the following on the .htaccess file
deny from all
This just returned an 403 forbidden page, but i was unable to stream the file from within the application
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)localhost.com/.*$ [NC]
RewriteRule \.(mp3|wav)$ - [F]
This just disabled the stream all together did not return a 403 or anything it just did not stream from neither the application or direct access
Finally I'm using AJAX to call the script that holds the files to be streamed; are there any options I can use?
It is impossible to prevent the user from accessing those files
In order to hear them they have to be downloaded to the user's computer and that means that they have to be accessible!
The best you can do is encrypt the files and decrypt them in the player. But even then the player could be reverse-engineered and someone could discover the encryption key and algorithm. In the end you gonna find out that you just wasted a whole lot of processing time and in fact slowed down your application!
There is just one problem: how is server supposed to detect who has requested your media - application or some other system, just using similar protocol?
But if you just want to prevent simplest http request to you media, you could involve some token exchange system, e.g. your application sends request for media in certain format, server sends token for accessing certain file, and then your application may access special (say php) script supplying it with token, script returns your sound stream. This way, media can be forbidden to be accessed from outside world and only will be accessed by you own server-side php script.
Then in order to gain access to media file user would need to know your existing token or your exchange protocol which eliminates random users accessing your media at will. However, as you have been told before there is probably no way to protect against 'educated users'.
One possibility would be to:
Add an apache rewrite directive on that download folder to route all requests to a php script instead that takes the file requested as a parameter.
Create this script (say sound.php) in your application which takes that file path as a get parameter. This script can output the correct http headers to indicate that the type of data is wav or whatever you want. Then check some cookies or a token or similar, and output the content of the restricted file directly (see readfile) only if the user is valid.
I need to protect a site that has a ton of static .html files. The standard .htaccess scheme doesn't meet the requirements.
Is there a way to specify an .htaccess style of password protection with a custom handler? That is I need to write the code to determine if the user is allowed or not, but I don't want to modify a million .html files all over the place.
Thanks!
Maybe. It depends on what modules are loaded on your web server. Your options will range from keeping a simple list of users in a flat file, to keeping them in a database and customizing the queries.
http://httpd.apache.org/docs/2.2/howto/auth.html
Another option - just brainstorming here - is to use something like mod_rewrite to redirect the calls to the physical file to something like a PHP script that can manage the user/password authentication for your, and if authenticated, go out and load the html file that was requested. So calls to www.some.com/10203.html actually get directed to www.some.com/auth.php?10203.html, which would control access to that underlying html file. That would of course require mod_rewrite to be installed, which is pretty common even for shared hosting environments.