Reputation: 35
How to protect subfolder which contain php page
I have made a subdomain for my web-site which I will use to store all the important scripts, both php and javascript. I want to protect evertyhing there so that it cannot be accessed from a web-browse.
I have tried .htpasswd. But when the page be called to do the function, there are password require every times.
You can say that the folder can be protected, but it makes the script not work because access requires a password.
Are there better alternatives?
Upvotes: 0
Views: 389
Answers (3)
Reputation: 352
I like to use an inclusive IP address range for restricted access. The question is unclear, so I'm not sure if that's what you mean, but this is an example:
RewriteEngine on
RewriteCond %{REMOTE_HOST} !^XXX\.XXX\.XXX\.XXX
RewriteRule ^(.*) / [R=302,L]
Add that to a .htaccess file in the folder you'd like to protect, replace XXX.XXX.XXX.XXX with your IP address, and anyone but you will be redirected.
You'd probably want a password as well for very restricted areas.
Edit:
In place of a long comment.
Client-side scripts shouldn't have any greater access when making 'AJAX' requests than any standard request made to a publically accessible file. It's not easy to help without more info on 'why' you want to. Storing your PHP stuff outside of the document root is probably the way to go, but that stuff would then only be accessible from the server-side (e.g. PHP).
You could make an XMLHttpRequest to an accessible page, which could in turn access files stored in a non-public location. e.g., either with an absolute path /var/private/, adapted to suit, or by traversing the directory structure with e.g. ../private, meaning one directory higher where your root may be /var/www.
Upvotes: 0
Reputation: 253308
Put the PHP files outside of the web-root, and have the server access/include/require them via the file-path. My own private scripts reside in the 'private' folder, which is in the same directory as the /var/www/ directory, and are accessed via: include '../private/script.php'
This won't work for JavaScript, though (except for possibly server0side JavaSCript) as it needs to be accessed by the user/client before it can be used. If it can't be accessed it can't be used, which makes it somewhat pointless. To ensure security for JS don't put anything private into the JavaScript, it's the only way; and then sanitise any input taken from that JavaScript.
Upvotes: 2
Reputation: 174937
You can always use .htaccess's deny from all.
See this article on .htaccess to learn more
Upvotes: 0
Related Questions
- Protect sub-directory Wordpress with htpassword return page not found
- PHP protect directory from direct URL access
- Protect only a directory with htpasswd
- Protect a file with .htaccess and .htpasswd
- Protect subdirectory with .htaccess and .htpasswd
- how to protect server directory using .htaccess
- Protecting folder using .htpasswd, but allowing php download while protecting password
- Protecting a directory using .htaccess and .htpasswd
- problem protecting a directory using .htaccess
- .htaccess and .htpasswd to prevent access to folder problem