Reputation: 1071
Should I protect server scripts/files from users, Is there a security risk if users can see server files, how to do it?
I know .htaccess is not the best way to do this, but I don't have access to other server settings.
- index.php (root)
-- scripts (folder)
--- someScript.php (one of the scripts)
So let's say I have an index.php file that lives at the root of the server, that file makes ajax requests to a script in a folder scripts, If a user types in the search bar domain.com/scripts/ he now has access to that folder (I don't know if they can be downloaded from there or not).
I know I can use options -Indexes but this still allows users to go directly to a script if they now the name of it, which is not hard to find or even guess?
The second option I know about is
<Files ~ "\.txt$">
Order allow,deny
Deny from all
</Files>
But this stops everything from accessing the file, even the ajax requests.
So, my question is, should I protect these files somehow ? Can the user see their content or download them, are there security risks ?
Upvotes: 1
Views: 39
Answers (1)
Reputation: 45914
should I protect these files somehow?
Well, you can't really, not if they are to be requested by the client (browser AJAX request).
It's usual to send a custom HTTP request header when calling a script via AJAX (client-side), so the script knows how to respond to such requests and return the appropriate response. Whilst this provides no "security", it does prevent casual requests to that script from doing anything.
For example, if you have the file /scripts/ajax-script.php that should only be accessible via a JavaScript AJAX request then send a custom header when making the AJAX request and block any requests to this file when that header is not present (or has the wrong value). For example, using mod_rewrite in the root .htaccess file:
RewriteEngine On
# Block request to file if "X-Ajax-Request" header is not present
RewriteCond %{HTTP:X-Ajax-Request} ^$
RewriteRule ^scripts/ajax-script\.php$ - [F]
Can the user see their content or download them, are there security risks ?
The example you gave is of a PHP script. Any direct request will only see its output, not necessarily its contents.
The only security risks are what you make. If an arbitrary request to that script returns a list of all active users and personal information then yes, that's obviously a security risk. But if the response is empty and no harmful event happens as a result of calling that script then it's a non-issue.
Upvotes: 1
Related Questions
- Only allow script from server to access files
- How to protect files in a LAMP server?
- How to protect my php files on the server from being requested
- htaccess securing files from being accessed by users
- how to protect server directory using .htaccess
- How to keep security to js and css files using htaccess
- Visibility of scripts on HTTP server
- PHP file security on webserver
- How to protect all directory contents, but gain access to php script
- Protect Apache server