3

I have below directory structure in my website,

/public_html /public_html/admin/ /public_html/admin/js/ /public_html/admin/css/ ....

Basically I want to disallow all direct access to files inside sub folders of /admin, like not allow to access js inside /js/ folder directly but allow it to access from my php page

I added .htaccess file with below code inside /js/ folder,

Order deny,allow Deny from all

so it is good that it won't allow me to access via browser directly !

BUT when I try to access index.php page in which files of /js/ folder are included using tag, it is not loading up.

So can anyone help me out !

Thanks in advance.

Improve this question
0

3 Answers 3

Reset to default
3

You are not accessing it "from your PHP page". The web server is either serving a request or it isn't. When you load your "PHP page" in a browser, the browser will then go out and request all the Javascript, CSS and image assets linked to from your page. Each of these will be a separate HTTP request to the web server. The web server has no context that this HTTP request is because the asset is linked to from "your PHP page", that's completely irrelevant to it. You can either get the file from the server using an HTTP request, or you can't. And by setting Deny from all, you can't.

You'd have to funnel all requests through a PHP file which checks the login information and only serves the file if the user is properly logged in. E.g. link to scripts.php?file=js/myscript.js and have authentication checking code in scripts.php.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

if you had a cookie token presence test + myscript.js request; you could avoid php processing and let apache route the request
Sure, but since I guess you want to verify against a PHP session, you need to invoke PHP. Just testing for the presence of some cookie without verifying it's a valid session is not real protection.
0

When you restrict a folder like this, you can not include the files that are in it inside your HTML page. It is basically the same request as if the person is accessign directly to the JS by URL.

Improve this answer

Comments

0

Usually cpanel tools like

  1. Hotlink Protection

    Hotlink protection prevents other websites from directly linking to files (as specified below) on your website. Other sites will still be able to link to any file type that you don't specify below (i.e., HTML files). An example of hotlinking would be using an <img> tag to display an image from your site somewhere else on the Web. The end result is that the other site is stealing your bandwidth.

  2. Index Manager

    The Index Manager allows you to customize the way a directory will be viewed on the web. You can select between a default style, no indexes, or two types of indexing. If you do not wish for people to be able to see the files in your directory, choose "No Indexing".

1&2 are tools from usual hosting cpanel. Probably it writes over apache conf files(not sure which ones)

However, you should also be aware of HTTP referer. You could based on this decide when not to show your respurce.

`HTTP referer is an HTTP header field that identifies the address of the webpage (i.e. the URI or IRI) that linked to the resource being requested`
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.