Reputation: 405
Prevent CURL to access to specific pages
My index.php includes header.php and footer.php by this way:
define("LEGAL_PATH", TRUE);
include("header.php");
// ...
include("footer.php");
And each of my included files begins with:
if (!defined("LEGAL_PATH"))
{
header("location: index.php");
exit(0);
}
For the moment, when we load the header.php (or footer.php), we are redirected on the index.php page. When we try to curl the header.php, it returns a blank page (thanks to the exit(0)).
Question:
Regarding bad people, I would like to generate a 404 error (as when we try to access to efjiozfjoijefiojzeof.php for instance) even if we load the page with curl: in this case (with a curl command), the header location is nonfonctionnal.
The curl output which I had (when there is no exit(0)):
$> curl https://www.mywebsite.com/header.php
NOBODY SHOULD READ THIS DIRECTLY FROM HEADER.PHP FILE
The curl output which I currently have (when there is the exit(0)):
$> curl https://www.mywebsite.com/header.php
$>
The curl output which I would like to have:
$> curl https://www.mywebsite.com/header.php
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /headzefjzefjp.php was not found on this server.</p>
</body></html>
$>
My idea was to include the 404 page file, but when I curl in verbose mode, I still have a 200 error code (and not a 404):
$> curl https://.../header.php -v
...
> GET /header.php HTTP/1.1
> Host: ...
> User-Agent: curl/7.51.0
> Accept: */*
>
< HTTP/1.1 200 OK
...
So, what is the good way to really ignore the header.php file (from browsers, curl, etc)?
Upvotes: 0
Views: 666
Answers (2)
Reputation: 7197
You need to send 404 Not Found manually. See this answer for that
How can I create an error 404 in PHP?
Also, if you are redirecting, you need to set a 301 or 302 status. 301 or 302 Redirection With PHP Which you are doing implicitly when using "location" header
Another thing is to make sure that cURL is not following 30x redirects. (maybe your curl is an alias to curl -l)
Try using curl --max-redirects=0 https://www.mywebsite.com/header.php to see if that is the case.
Upvotes: 0
Reputation: 3520
The correct way to prevent people from accessing pages they are not supposed to access (like your header, footer or some libraries) is to put them outside of your document root.
For example your folder structure could be like:
documentroot/index.php
header.php
footer.php
And your index.php would look like:
<?php
require('../header.php');
echo "some content";
require('../footer.php');
Instead of trying to return a 404 error, this is the easiest and most secure way to prevent users from accessing pages they are not supposed to access.
Upvotes: 1
Related Questions
- Restrict the requests coming to my webpage based on their url in PHP
- How to block curl or file_get_contents
- How to prevent curl or file_get_contents for access my page out side server
- Prevent cURL requests from my website
- How to make cURL not to show body of requested page?
- Is there a way to block CURL to fetch data on my site?
- How can I protect my website content from being accessed by cURL?
- how can i block some parts of an url while using php cURL?
- Protecting my website content from being downloaded through cURL
- How do I block curl downloading of a specific page?