Is there a way to prevent folder directory access with CSS?

[Anonymous]

I’ve been working on a 404 Error page which redirects to the home page. It works well, but I’ve noticed that it only works for non existent files, of course. for example, if I were to type http://mydomain.com/images/aa the 404 page comes up. However, if I type http://mydomain.com/images/ then the entire listing of files and folders within the images folder is shown. I’ve been reading around on ways to prevent direct access and the closest I’ve found is adding the following to the.htaccess file.

# disable directory browsing
Options All -Indexes 

The problem with this is that a generic white page comes up saying access is forbidden, and I’m assuming I will have to put an .htaccess file as well as the 404,html page in every folder I want to prevent direct access to. This would take a great deal of work. In the past I placed a home.html page in each folder, but I’m hoping there is an easier way to forbid direct access and have a 404 page.

Best Regards.

[Paulie_D]

Is there a way to prevent folder directory access with CSS?

No…

Simples. :)

In the past I placed a home.html page in each folder

This does not sound right.

[Anonymous]

Greetings Paulie,

Does this mean I will have to post the .htaccess and 404.html in every folder PLUS create separate .htaccess and a 401.html file for each? I don’t mind creating a thread since the first question is now a non CSS related issue. Where should I post the question though?

As for the home.html, it works here using Firefox and IE8. What do you see?
All of this must be changed as it is no longer practical to mark the graphics with invisible watermarks or track images/visitors.

Best Regards.

[Paulie_D]

I’ll move this to “Other” discussions for proper resolution

[__]

In the past I placed a home.html page in each folder

This does not sound right.

Old, hacky: but it works. Basically, the index won’t be shown because the default html page is shown instead. But Options All -Indexes is the correct solution to this problem.

Does this mean I will have to post the .htaccess and 404.html in every folder PLUS create separate .htaccess and a 401.html file for each?

Not at all. For example, you can do

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ /path/to/file.html [L]

Of course, if you are relying on directory paths to automatically display their index page, this would prevent that. You’d need to do something like (not tested):

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}index.php !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule ^ /path/to/file.html [L]

If you’re using Apache > 2.2.16, you can do

FallbackResource /path/to/file.html

Something else to consider: 403 Forbidden is the correct response to serve in this case. The user is trying to access a directory listing, and they’re not allowed to. That’s why sending a 404 instead is somewhat difficult: it’s not what Apache was designed to do. It’s misleading, and has no benefit to you or the user.

[Anonymous]

Greetings Traq,

Thank you for your reply.

I am old, but I try not to be hacky. I started web design around 1995 and haven’t kept up with the new coding types thereafter. HTML and JavaScript is pretty much my range, and the home.html was the way to block access back in the day. PaulieD scared me saying he could access a directory on my server using Google Chrome, so I’m trying to insure access is prevented. I’m appreciative he alerted me to this.

I just started learning CSS around November last and work on it when I can. All of this is very new to me. I have used .htaccess files in the past, but if I recall it was to block certain IP addresses.

I’m basically wanting to prevent direct URL access to folders on my server which displays all files in the directory.

I’m only interested in unauthorized, forbidden, and file not found issues. I don’t believe a custom page is necessary for the other categories.

What I’ve been working on is:

#Rewrite URL's
RewriteEngine On
RewriteRule ^404/?$ errors/404.html [NC]

# Enable Error Documents
# (400,Bad File Request) | (401,Unauthorized) | (403,Forbidden) | (404,File Not Found) | (500,Internal Server Error)

ErrorDocument 400 /400.php
ErrorDocument 401 /401.php
ErrorDocument 403 /403.php
ErrorDocument 404 /404.php
ErrorDocument 500 /500.php

If I remove all references to the categories I’m not concerned with; ie 400 & 500, will a default white screen show, or are additional rules required?

In the RewriteRule above, what does ^404/?$ errors/404.html [NC]mean. I assume that this is referencing the 404 page that is on the server. I assume I would place the url where my custom 404 page is located on my server. Do I leave the ^404/?$ and therefore it would appear as ^404/?$ http://exampledotcom/404.html?

Should the finished .htaccess file go in the root directory only or does it need to be placed in all folders to function. Does an error.html file need to be in each folder to be protected? I know I basically asked this before, but as I haven’t seen this work fully, I am uncertain. I currently have an .htaccess file containing # disable directory browsing Options All –Indexes in my root directory and it seems to be preventing direct access to all folders with a generic white page. I assume that only one .htaccess file in the root will be necessary, but am not sure about the error.html pages.

Best Regards.

[Paulie_D]

PaulieD scared me saying he could access a directory on my server using Google Chrome, so I’m trying to insure access is prevented. I’m appreciative he alerted me to this.

Security is an issue, and an important one so i don’t blame you for looking into locking down areas of the site which users would not normally see…and have no need to.

However, you must remember than any content, CSS and JS being shown / used on the website is automatically and essentially viewable by the user.

If you locked down the images folder any casual viewer would not see them because the directory would not be accessible to them…ditto CSS etc.

Consequently, you should only put files in the viewable folders that you do mind being crawled.

You cannot protect HTML/CSS (they are, for all intents and purposes open source ) but images that you consider proprietary should be protected with a watermark or some other identifying feature….perhaps in the metadata?

[Anonymous]

Greetings Paulie,

I know there isn’t any way to prevent access to images as they have to be available to be displayed on a web page. As such, it’s a simple thing to gain their path through browser tools. Firefox makes it easy to view any image path. I’m looking for the best way to prevent direct access to an entire folder’s contents.

I was thinking about marking images with metadata using Photoshop and/or Bridge as that would allow proof or creator and ownership. I still want to prevent full access to folder directories though.

Best Regards.

[__]

If I remove all references to the categories I’m not concerned with; ie 400 & 500, will a default white screen show, or are additional rules required?

Probably not. It’ll depend on your server config, but you’ll probably see Apache’s default 400/500 pages.

In the RewriteRule above, what does ^404/?$ errors/404.html [NC]mean

There are three parts to a rewrite rule:

1) pattern to match against

2) pattern to replace with

3) flags.

^404/?$ is the pattern to match. This will match the path “404” or “404/” (the ? makes the slash optional).

^ and $ are anchors: they specify the start and end of the url path, respectively. Including them has the effect of matching the entire pattern, rather than any part of it. Without the anchors, the pattern would also match paths like “not-a-404-page”.

errors/404.html is the pattern you want to rewrite that path to. In your case, this should be the path to your custom 404 page.

[NC] means the pattern comparison should be case-insensitive (which, considering there are no alphabetic characters in the pattern, serves no purpose).

Should the finished .htaccess file go in the root directory only or does it need to be placed in all folders to function

htaccess files cascade, meaning that a file in one directory will affect all directories “below” it, and will override specific rules from htaccess files (or the server config) “above” it. So, no; unless you want different rules in a particular directory, you don’t need another htaccess file there.

Does an error.html file need to be in each folder to be protected?

I don’t know what you mean by “protected.” Your custom error file is specified in your rewrite rule, so you only need to be sure that that filename is correct.

I know there isn’t any way to prevent access to images as they have to be available to be displayed on a web page. As such, it’s a simple thing to gain their path through browser tools. Firefox makes it easy to view any image path. I’m looking for the best way to prevent direct access to an entire folder’s contents.

I think you are misunderstanding. The term “direct access” is meaningless. There is no difference between a web browser downloading an image because it was in an <img> tag on a webpage, or because the address was typed in the address bar. If someone knows (or can guess) the filename, they can view it – unless you configure the server to deny that, in which case it would not be viewable on the webpage, either.

What is your objective in preventing access to these files? what are you trying to accomplish?

If your goal is to keep control of your images, then @Paulie_D already gave your answer:

any content, CSS and JS being shown / used on the website is automatically and essentially viewable by the user.

You can’t get around that. Watermarks, “previews,” or lower resolutions might be alternatives for you. And when it comes to proving ownership, publishing is one of the best methods.

[Anonymous]

Greetings traq,

All I am trying to accomplish is to prevent anyone/everyone from browsing my directory and sub-menus on my server. For example, if someone types in http://www.exampledotcom/images/ in an attempt to see all of the files in the images folder, I want a custom 403.php page to show. If someone types in the wrong page address I want a custom 404.php page to show, etc. In the case of the /images/ example, the person is trying to gain direct access to the contents of the folder. I certainly want individual files available for web pages and therefore am not trying to lock folders, I just don’t want anyone to have access to all of the contents.

It’s not just images I am concerned about, I have reams of technical papers I have written over the years that will be in certain folders as well. Of course these can be watermarked and I don’t want anyone to have access to them in bulk. I had some material stolen from my original site in the late 90s and used on a TV documentary verbatim in spots. The “expert” presented it as his own work, but I had a video of me presenting the same theories at Purdue University three years prior. I’ve yet to be compensated or any apology offered by the expert or the channel that provides documentaries.

I’ve been playing around with the following .htaccess file and placed it in my root directory along with my custom pages. It’s not working, so I’ve done something wrong. What is it?

#Rewrite URL's
RewriteEngine On
RewriteRule ^401/?$ /401.php [NC]
RewriteRule ^403/?$ /403.php [NC]
RewriteRule ^404/?$ /404.php [NC]

# Enable Error Documents
# (401,Unauthorized) | (403,Forbidden) | (404,File Not Found)

ErrorDocument 401 /401.php
ErrorDocument 403 /403.php
ErrorDocument 404 /404.php

Best Regards.

[__]

All I am trying to accomplish is to prevent anyone/everyone from browsing my directory and sub-menus on my server.

Disabling the index option will accomplish that. However, “brute-forcing” common filenames/patterns isn’t that difficult if someone is really interested.

I want a custom 403.php page to show

Do you want to show a different 403 than the rest of your site? If so, you’d need another htaccess file to override the 403 file for that directory.

I have reams of technical papers I have written over the years that will be in certain folders as well.

“Documents” are easier to control: you can password-protect the directory, and then write scripts to serve them according to whatever rules you prefer. But again, the key concept is that, if you want to “protect” your files, simply hiding the indexes doesn’t work.

I’ve been playing around with the following .htaccess file and placed it in my root directory along with my custom pages. It’s not working, so I’ve done something wrong.

What do you mean by “not working”? There’s nothing obviously wrong with it (though I don’t see the need for the rewrite rules).

[Anonymous]

I want one single custom 401, 403, and 404 page to work for all directories. I don’t want to have to make a custom page for each folder. If this will prevent direct access to my folders, then there isn’t any need for for password protection. I think this would be a problem anyway as I do want to make individual documents available at times, just not have open access to all. Hiding the folders will work to the extent that I don’t want anyone to have free access to the entire contents of any folder. If I write a check to someone, that doesn’t give them permission to access my bank account and see what my balance and transactions are.

By not working I mean it isn’t doing what it’s supposed to. I assume it’s supposed to show the custom page, depending on what error is made. It doesn’t. It shows the listings within the directory typed which is what I am trying to prevent.

Best Regards.

[Anonymous]

Greetings Paulie,

I seem to be at a dead-end on this. Perhaps the topic title is causing some to pass over it? Is it possible to change the topic title to something like “.htaccess help needed”?

I’ve ran the .htaccess I’ve come up with through an online checker and there are five instances where either a rule or condition isn’t met. I have no idea how to correct these. There were multiple errors with the coding starting out, but I’ve managed to fix those, I think.

Best Regards.

[__]

… If this will prevent direct access to my folders, then there isn’t any need for for password protection.

This will not prevent access at all. It will only prevent the server from displaying a list of the files to the visitor.

If I write a check to someone, that doesn’t give them permission to access my bank account and see what my balance and transactions are.

…but neither does it prevent them from doing so. In fact, it makes it substantially easier. Prevention is up to your bank’s policy and practice.

Giving someone a URL is more analogous to giving someone your checkbook than a single check. You’re telling them where your checkbook is, and expecting them to only take the particular check you wrote for them.

Most times, people will only be interested in that particular check that is theirs. If you don’t display the directory index, then they won’t be able to look up other checks, but they can still check each page of your checkbook and see if there’s an interesting check there. Likewise, if they can guess the check number*, they can get to that check even without an index.

* (and check numbers are much like URLs: not at all hard to guess.)

If this is not acceptable to you, then you’ll need to lock your checkbook so only you have access. When you write a check to someone, you first make sure it’s the right person, then open your checkbook, write the check, take it out of your checkbook, and give it to them. Same procedure can be used for your files. For example, instead of giving the URL to the file:

1) password-protect the directory

2) authorize your user (either by requiring a login, using nonce access tokens, etc.)

3) give an access URL to the user (e.g., example.com/file-access.php?file=some_specific_file.jpg)

4) when the user requests that URL, confirm it’s the same user you authorized

5) open the file from your protected directory and download it to them.

In practice, this is usually not the way things are done: it’s complicated and puts a lot of extra work onto the server.

I’m not suggesting this is necessarily what you need to do in this case. (I would venture to guess that it’s not.) In reading your previous posts, it seems you may be misunderstanding some of the details of how HTTP works, and I want to make sure things are clear so you know what it is you can accomplish, and what you need to do in order to do so.

I’ve ran the .htaccess I’ve come up with through an online checker and there are five instances where either a rule or condition isn’t met. I have no idea how to correct these.

What did you want those rules/conditions to be? What problems did you encounter? Is the code you posted above the current code you’re working with?

[Anonymous]

It will only prevent the server from displaying a list of the files to the visitor.

And that’s EXACTLY what I’ve been saying I am wanting to do from post #1.

…but neither does it prevent them from doing so. In fact, it makes it substantially easier. Prevention is up to your bank’s policy and practice.

Plus it’s largely up to security software which prevents direct access to accounts by anyone and everyone, much like I’m trying to get done with .htaccess.

AGAIN, I don’t want to lock files and folders I simply want to prevent users from directly accessing folders by typing in the folder url, ie mydomain.com/images/ I want the web page to display images, I don’t want people to view ALL the files directly. I don’t know how much clearer I can put it. I also want custom 401, 403, and 404 error pages to display.

The last .htacces I had is below. It’s been altered several times and what is valid and what isn’t I’m not sure at this point. The only thing that seems to work is the disable directory browsing which is one thing I wanted as stated many time before. The prevent viewing of .htaccess file might also be working as typing it in displays a message that I do not have permission to view the file. None of the error documents function/work/operate.

#Rewrite to www
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{HTTP_HOST} ^mydomain.com[nc]
RewriteRule ^(.*)$ http://www.mydomain.com/$1 [r=301,nc]

#Stop hotlinking
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?/.*$ [NC]
RewriteRule \.()$ [R=302,L]

ErrorDocument 400 /400.php

ErrorDocument 401 /401.php

ErrorDocument 403 /403.php

ErrorDocument 404 /404.php

ErrorDocument 500 /500.php

#Prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

#Disable directory browsing
Options All -Indexes

[Author]

Posts