Q&D Folder Restriction (security)
Applicable to: Systems utilizing Apache
There are a few solutions to the problem of preventing access to errant visitors viewing folders (and their content) that are without an index file.
The solution below is one that I’ve found to be elegant and easy to implement. In addition, you can author a nice “error” message if you wish, AND, it can save some considerable space and time.
It is derived from the Apache DirectoryIndex function.
****
1.) Add the following line to your .htaccess file:
DirectoryIndex index.shtml index.htm index.html index.cgi index.php /restrict.html
2.) You may place any file name, that your particular system has been set up to default to, in that line (that you know are absent from a folder(s) that you don’t want to be viewable).
* See Notes Below
3.) Next, create a “restrict.html” file, in the same folder as the .htaccess file (unless you change the path in the line above), and populate it with whatever message you want an errant visitor to see…. such as:
Sorry! You are not authorized to view this directory’s contents. Contact: webmaster@yoursite.com
4.) What the above all does, is: When a user types in an address to a folder that does not contain one of the files you specified in the .htaccess file line, or, specifically types in one of the files specified (which aren’t there), it will redirect them to the restrict.html file. If the user typed in a /folder/filename that IS there, it will of course be rendered.
****
* Notes:
By “any file name, that your particular system has been set up to default to”, I mean that, our esteemed system administrators most likely have set up our OS to look for a default file name(s), in a particular order, in the case that no filename was typed in the URL (such as your URL without the “index.htm” appended – http://www.yourdomain.com/).
For example, the order might be:
index.htm -> index.html -> default.htm -> index.shtml
So then:
User types in “www.yourdomain.com/fred/” ->
System looks for /fred/index.htm
If the system finds it, it gets rendered in the users browser ->
If the system doesn’t find it, it next looks for /fred/index.html
If the system finds it, it gets rendered in the users browser ->
If the system doesn’t find it, it next looks for /fred/default.htm
If the system finds it, it gets rendered in the users browser ->
If the system doesn’t find it, it next looks for /fred/index.shtml
And so on… until it either finds one of it’s defaulted filenames – or – finds none of it’s defaulted filenames and then either presents a 404 error page – or – displays the contents of the /fred/ folder for all the world to see.
Addendum:
Use the tutorial above, and just make the restrict.html file like your home page, except replace the body content with the “Sorry, you are not authorized…” message. This way, folks will still have all the navigation structure that you have in your home page.
As well, this way you won’t have duplicate “site map” pages.
Make sure to use full URL’s rather than paths in any links/images/etc, though.
****
We hope you find this helpful.
***
By John Bates
© 2003
http://www.mordesigns.com
About the Author:
John Bates is the owner of MOR Designs. He is a Super Moderator at the IHelpYou Forums as well as an administrator of the WebSavvy Smart Search! Directory.
For more articles by John and others please visit: http://www.mordesigns.com
Related posts:
- The Skeleton directory feature of WHM
- How to enable register_globals for a single website without putting an entire server security at risk?
- Get PHP pages indexed in the Search engines
- Configuring Basic Cisco Router Security
- Apache HTTP Web server configuration Tutorial
- The Proper Way To Use The robot.txt File
- Poor Man’s Version of Server Security