Fully securing a directory

Question

What are the different approaches to securing a directory?

including an index page so contents can't be viewed

the problem with this is that people can still access the files if they know the filename they're after

including an htaccess file to deny all

this seems to be the best approach, but is there any case that an htaccess file can be passed by? are there any cases as well where htaccess is not available?

restricting folder access

this is also a nice solution, but the problem is, the folder I'm trying to secure should be viewable and writable by the program.

Are there any other ways that folder security can be done?

Answer 1

You could also try not placing your protected directory under your www dir but on other "non www visible" location. If your app needs to read / write data, tell it to do it on the other location. Modify its properties so only the app has the proper rights to do so.

Answer 2

Best practice for Apache is to use htaccess to restrict - this only restricts from the webserver - but that should be what you need. You can add authentication into this - but for most needs to you can just deny all acess - which hides the directory completely.

Another method that can also work well with using htaccess to deny direct access would be to use htaccess in your route directory to rewrite urls. This means that a request such as /example/listItems/username/ted can be rewritten as a call to a php or other file such as:

/application/index.php?module=listItems&username=ted

The advantage of doing this is that the webserver does not give out paths to any directories so it is much more difficult for people to hack around looking for directories.

If you want to protect a directory of images you could also use htaccess to redirect to a different directory so that /images/image5.png is actually a call to :

/application/images/image5.png