0

I've spent all day looking for a solution on how to make files inaccessible directly, but still accessible to scripts. All answers I've found lead me in round about loops. This may be useful to someone.

If anyone has a better solution, Please Post.

Here is the one I have found.

How to make files only accessible to scripts ( Including Client Side Scripts? ) / Innacessable Directly (IE: Through URL)?

Turn on mod_rewrite

in .htaccess file:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !http://*************
RewriteCond %{HTTP_REFERER} !http://*************
RewriteRule ^ - [L,F]

Type in your domain in the ******

Use Https if needed.

Ulad Kasach
  • 11,558
  • 11
  • 61
  • 87
  • 1
    It is fundamentally impossible to distinguish between your client-side code and a malicious attacker. – SLaks Mar 09 '14 at 20:20
  • Put them in directory that cannot be accessed via web – gawi Mar 09 '14 at 20:25
  • Look at this http://stackoverflow.com/questions/7127153/php-how-can-i-block-direct-url-access-to-a-file-but-still-allow-it-to-be-downl – Panama Jack Mar 09 '14 at 21:33
  • It is impossible to distinguish between the two, yet possible to distinguish if the scripts are accessed from the website pages, or directly by url to a level that creates finesse to the website and deters access to the scripts from people who do not care enough to spend significant time accessing it. Because client-side scripts are accessed by the website, they need to be accessible offline. I should have been more specific. That answer is far more complicated than nessesary, and i am not sure it does exactly what is needed in this senario. I will add more context to this answer. – Ulad Kasach Mar 10 '14 at 23:09

1 Answers1

1

If by "direct" you mean file access from a browser, then you can require that an HTTP client presents a custom header, e.g. X-Access: authorized_script so it can't be easily sent from a browser.

This answer discusses how it's done with Apache.

Community
  • 1
  • 1
punund
  • 4,321
  • 3
  • 34
  • 45
  • I believe the solution I've presented is much simpler and time effective with the same results. However, I can see how that solution could present greater security. – Ulad Kasach Mar 10 '14 at 23:12