I’m Dudley Storey, the author of Pro CSS3 Animation. This is my blog, where I talk about web design and development with , and . To receive more information, including news, updates, and tips, you should follow me on Twitter or add me on Google+.

web developer guide

my books

Book cover of Pro CSS3 AnimationPro CSS3 Animation, Apress, 2013

my other blogs

Massive Head Canon: Intelligent discussion of movies, books, games, and technology.

my projects

A Sass color keyword system for designers. Replaces CSS defaults with improved hues and more memorable, relevant color names.

CSSslidy: an auto-generated #RWD image slider. 3.8K of JS, no JQuery. Drop in images, add a line of CSS. Done.

tipster.ioAutomatically provides local tipping customs and percentages for services anywhere.

Hand Stop Sign

Basic Site Security: Protect Your Files With .htaccess

php / introduction

Estimated reading time: 2 minutes, 30 seconds

Server-side includes - snippets of content that are kept as separate files, allowing their re-use on multiple pages – are particularly useful when developing a site . However, as they typically exist as files in a folder, they can be viewed in a browser, so long as the visitor can guess the right directory path. An example would be trying the following as a URL:

Site assets folder listIf I get the path correct, I can see a list of files in the browser window, and click on a file to see its content.

If the include files only contain static , such as a re-used banners and , this is not a big deal. But it becomes a serious issue if the include file contains , most especially security information, such as a connection script. If a visitor can view a file directly to see username, password and domain information for your database, they can log into your server and get into all kinds of mischief. (Note that packages like DreamWeaver allow this by default).

Obviously you want to retain the ability of your own pages to read these include files; you just want to stop anyone else from getting into the folder. The solution is to create a .htaccess file with a special command line to restrict access. While it is possible to keep a single .htaccess file at the root of your site to control all access and server activity, for small sites I prefer the simplicity of writing an .htaccess file in each folder I wish to control. (Note that the includes folder is one of the few in which this technique should be used. Some clients with antiquated ideas about copyright and DRM might encourage you to apply the technique to the images directory of a site, but attempting to do so will likely impact your search index on Google.)

First, create the file. It has a very particular, and very special, filename: .htaccess (Note the position of the period at the start, and the lack of any suffix). This is a system file: under most conditions, it will be invisible to your operating system. (You may need to set your web development package of choice (DreamWeaver, Coda, etc) to ensue that the file is visible).

Then, write a single line in the file:

deny from all

Finally, upload the .htaccess file to the includes folder on the server.

403 page exampleNow you will find that you cannot list the include folder content from the browser, even if you know the right path.

If you want a more elegant response than the default browser error, you can create a 403 page to display, very similar to the 404 (page not found) error page we have discussed earlier. The line added to the root .htaccess file will also be very similar:

ErrorDocument 403 notallowed.html
comments powered by Disqus

This site helps millions of visitors while remaining ad-free. For less than the price of a cup of coffee, you can help pay for bandwidth and server costs while encouraging further articles.