Q&D Folder Restriction (security)
By John Bates
© 2003
http://www.mordesigns.com
Applicable to: Systems
utilizing Apache
There are a few solutions
to the problem of preventing access to errant
visitors viewing folders (and their content)
that are without an index file.
The solution below is one
that I've found to be elegant and easy to
implement. In addition, you can author a nice
"error" message if you wish, AND,
it can save some considerable space and time.
It is derived from
the Apache
DirectoryIndex
function.
****
1.)
Add the following line to your .htaccess file:
DirectoryIndex index.shtml
index.htm index.html index.cgi index.php /restrict.html
2.)
You may place any file name, that your particular
system has been set up to default to, in that
line (that you know are absent from a folder(s)
that you don't want to be viewable).
* See Notes Below
3.)
Next, create a "restrict.html" file,
in the same folder as the .htaccess file (unless
you change the path in the line above), and
populate it with whatever message you want
an errant visitor to see.... such as:
Sorry!
You are not authorized to view this directory's
contents. Contact: webmaster@yoursite.com
4.)
What the above all does, is: When a user types
in an address to a folder that does not contain
one of the files you specified in the .htaccess
file line, or, specifically types in one of
the files specified (which aren't there),
it will redirect them to the restrict.html
file. If the user typed in a /folder/filename
that IS there, it will of course be rendered.
****
* Notes:
By "any file name,
that your particular system has been set up
to default to", I mean that, our esteemed
system administrators most likely have set
up our OS to look for a default file name(s),
in a particular order, in the case that no
filename was typed in the URL (such as your
URL without the "index.htm" appended
- http://www.yourdomain.com/).
For example, the order might
be:
index.htm -> index.html
-> default.htm -> index.shtml
So then:
User
types in "www.yourdomain.com/fred/"
->
System looks for /fred/index.htm
If the system finds it, it gets rendered in
the users browser ->
If the system doesn't find it, it next looks
for /fred/index.html
If the system finds it, it gets rendered in
the users browser ->
If the system doesn't find it, it next looks
for /fred/default.htm
If the system finds it, it gets rendered in
the users browser ->
If the system doesn't find it, it next looks
for /fred/index.shtml
And so on... until it either
finds one of it's defaulted filenames - or
- finds none of it's defaulted filenames and
then either presents a 404 error page - or
- displays the contents of the /fred/ folder
for all the world to see.
Addendum:
Use
the tutorial above, and just make the restrict.html
file like your home page, except replace the
body content with the "Sorry, you are
not authorized..." message. This way,
folks will still have all the navigation structure
that you have in your home page.
As well, this way you won't
have duplicate "site map" pages.
Make sure to use full URL's
rather than paths in any links/images/etc,
though.
****
We hope you find this
helpful.
****
