CODEWITHSUNDEEP
securitylaravellaravel-4assets
quantme
quantme

Reputation: 3657

Laravel 4: how to protect assets folder?

I come from CodeIgniter where files/folders are typically protected this way:

.php files

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

index.html files

<html>
<head>
    <title>403 Forbidden</title>
</head>
<body>

<p>Directory access is forbidden.</p>

</body>
</html>

I guess can be possible with .htaccess or hard way but, how can be done using Laravel 4? is there a way using its 'standards'?

Edit: Is a project built for shared hosting.

/assets/{css, img, js}
/packages
/system/{app, bootstrap, vendor, index.php, .htaccess, favicon.ico}

Upvotes: 3

Views: 5089

Answers (4)

thuan le van
thuan le van

Reputation: 61

You need to make a file .htaccess, after that you need to add the following:

# Disable Directory Browsing
Options All -Indexes

Upvotes: 6

Ilker Mutlu
Ilker Mutlu

Reputation: 754

The answer might be a year late, but I thought it might help others who want to tackle something similar.

Check out Kelt Dockins' post here. The Codesleeve Laravel Asset Pipeline would allow you to have your assets folder outside your /public folder, securely.

Upvotes: 0

Laurence
Laurence

Reputation: 60068

I have provided a similar answer to this type of question here: Laravel image gallery logic

In principle - you should store all your assets outside of public - and use PHP readfile() to securely serve them to users as required.

Upvotes: 1

Jason Lewis
Jason Lewis

Reputation: 18665

You should set up your application so that everything outside of the initial public directory is outside of your document root. That's one of the reasons why Laravel actually ships with a public directory. Typically most people will symlink this directory to the document root. Anything inside public is, obviously, public. If you'd like your assets directory to be inaccessible you could opt to use htaccess or an index.html file much like how you've described.

If, for whatever reason, you need to shuffle some things around and have your actual application files within your document root then you'll need to implement some form of security if you see the need. This, again, could either be using htaccess or an index.html file. Typically a htaccess approach is simpler. If you wanted to protect the app directory you could drop a .htaccess file in there that looked something like this.

deny from all

Upvotes: 1

Related Questions