Welcome to WebmasterWorld Guest from 34.229.24.100

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

blocking access to files & folders via .htaccess

stylesheets and entire directories

     
9:14 pm on Dec 6, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 10, 2005
posts:387
votes: 0


What code do I use to block users from accessing certain directories and viewing files like stylesheets?

I tried the following:

<FilesMatch "\/directory\/$">
Deny from all
</FilesMatch>

(doesn't block access)

and:

<FilesMatch "\.css$">
Deny from all
</FilesMatch>

(blocks access but my pages have no CSS!)

9:40 pm on Dec 6, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 10, 2005
posts:387
votes: 0


Okay, I got the following to work for stylesheets and javascript files:

RewriteCond %{HTTP_REFERER}!^http://(www\.)?domain.com(/)?.*$ [NC]
RewriteRule .*\.(js¦css¦ico)$ [domain.com...] [R,NC]

Question: will this cause a problem for browsers that don't send referer info with page requests?

Also, still can't block access to directories.

10:47 pm on Dec 6, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 9, 2005
posts:1509
votes: 0


No it will not block them from user-agents that do not send referrer information.

Can I ask what you are trying to accomplish by blocking them?
There are a few ways to keep your files from being accessed, and sometimes .htaccess is not the best solution. (Or .htaccess alone is not the best solution might be better wording.)

Justin

2:28 pm on Dec 7, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 10, 2005
posts:387
votes: 0


I'm just trying to block access to hackers who type URL's directly into the address bar.

PS - Are you SURE about not blocking browsers that don't send referrer info? A site with a code generator adds the following if you don't want to block blank referrers:

RewriteCond %{HTTP_REFERER}!^$

It also includes a warning about such browsers -- see [htmlbasix.com...]

4:23 pm on Dec 7, 2006 (gmt 0)

Junior Member

10+ Year Member

joined:Sept 19, 2005
posts:44
votes: 0


This is what I use to block other sites from displaying my images. Should work just fine for "direct" access to other files (js, css, etc).


RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?domain.com(/)?.*$ [NC]
RewriteRule .*\.(gif¦jpg¦png)$ - [F]

That first line adds a logical "AND" which I think is what you're looking for. So the condition is this: if the referrer value is not null AND it's not ...domain.com, then do the rule. Therefore, it's important to understand that if an agent requests a file and does not pass a referrer, then it's not blocked. This may not be necessary now-a-days though, as the only agents that won't pass a referrer value are really old browsers, and maybe hackers. Just depends on how you want to handle it.

Another major difference though in how I handle it is that in my RewriteRule, I'm using F (forbidden), as this seems more appropriate. This causes the agent to receive a "403 Forbidden" message which is exactly what I want. In your case, using an "R", you're just redirecting the request to a different URL, so you're still serving up content for those requests. Personal preference I suppose.

5:16 pm on Dec 7, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


The devil's in the details, here.

The goal is to block type-in requests for .js and css files.

Type-in requests, by definition, have no referrer.

So, allowing blank referrers in the code explicitly allows type-in requests for those files.

The best that can be achieved is to block requests for .js and .css files with no referrer, and hope that not too many of your visitors are behind corporate or ISP caching proxies (which also provide no referer):


RewriteCond %{HTTP_REFERER} !^http://(www\.)?domain\.com
RewriteRule \.(css¦js)$ - [F]

Replace the broken pipe "¦" character in the code with a solid pipe character before use; Posting on this forum modifies the pipe characters.

Flush your browser cache before testing any changes to your configuration.

Jim

6:39 pm on Dec 7, 2006 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 9, 2005
posts:1509
votes: 0


The reason I was asking about the blocks is, if you are running a dynamic site, you can block in the script requesting the file, rather than .htaccess and you will save 'requests'. Meaning if you move your block from .htaccess to the dynamic page you will remove any 'bad' requests before they are made.

In .html to block one css and 2 js files all 3 files will have to be requested (bad) from your server. Then they will be forbiden.

In .php to block a single comparison can block all 3.

Justin

8:50 pm on Dec 7, 2006 (gmt 0)

Preferred Member

10+ Year Member

joined:Nov 10, 2005
posts:387
votes: 0


I found I can block access to entire directories such as includes & template files using a simple:

RewriteEngine on
RewriteRule ^(.*)$ - [F]

As for CSS & JS files, I'll just leave them accessible; I'd rather not block access to legit users whose browsers don't send referer info. I'm guessing this isn't a big issue since there's no clear solution...

...unless someone can get the following different approach to work:

<FilesMatch "\.(css¦js)$">
Deny from all
</FilesMatch>

I've seen lots of different lines in there, like:

Order Allow,Deny
Allow from all
Satisfy all

and:

<Limit GET PUT POST>
Order Allow,Deny
Allow from all
</Limit>

but I don't understand it enough to get it to work. Is that a viable method?