Allow access to directory using URL


#1

My site has several directories :
phpfiles
scripts
images

I want to allow access to these only from my WEB site.

I should be able to do this by adding a .htaccess file to each directory, This is what I added

Options -Indexes
order deny,allow
deny from all
allow from https://kidsbooks.gq

Using this stops everything accessing the files, even from my web site.

The URL is serviced through CloudFlare so I have tired using the original webhost address supplied by webhost of http://kids-books.000webhostapp.com/, I have even tried to use the ip address of both URL’s.

Can somebody tell me what I have wrong please.

Thanks

Garry


#2

Good day, sir!

I want to allow access to these only from my WEB site.

You want to list the files in browser or do you want to prevent them from being listed?


#3

Hi Teodor

The .htaccess stops the directories being listed and this works fine.
But if I know the names of the php files I can enter them into a browser and run the file.

E.g. I have a file deleteUserAccount.php, this is called from my javascript using ajax, but I can also run it by simply calling it as a URL in any WEB browser :

https://kidsbooks.gq](https://kidsbooks.gq/phpfiles/deleteUserAccount.php?userid=1234

So I want to restrict access to the directories to only allow calls that come from my WEB application and stop calls from browsers.

I thought I could do this using the ‘allow from https:kidsbooks.gq’ entry, but that stops all access.

Thanks for helping

Garry


#4

As long as your files are located in /public_html they are all accessible through the direct path and there is no way we can overcome that.

Two fixes are coming in my mind:

  1. You could move your core PHP files to the root path of your site (/) and include them in your public PHP files.
  2. You could generate a unique key for each request which is coming from your web application and drop all requests which do not meet the key criteria.

#5

I’m currently implementing idea 2, but that is taking longer than I expected.

I’ll also have a look at idea , the more security the better, I’ve already had somebody hack my site and nobody is using it yet :roll_eyes:

Thanks for helping.


#6

This topic was automatically closed after 5 days. New replies are no longer allowed.