| .htaccess | |
|---|---|
| Tweet Topic Started: Dec 24 2008, 08:32 AM (208 Views) | |
| bustya | Dec 24 2008, 08:32 AM Post #1 |
![]()
The Master Bitchslapper
|
Here's a few htaccess tricks (for Linux servers only). Simply create a textfile and name it ".htaccess". You can use just one in your root or drop a specialized .htaccess in a given directory to control how that directory is served... Disable index browsing: This gives a user a "forbidden" message instead of displaying the files in a directory that lacks an index page...
Deny directory access + prevent script execution from within the directory I use this in my user-submitted image directory. The only way to access the images in this folder is with my image serving (PHP) script.
Only the server has permission to access these (image) files. Also, in the event a user somehow bypasses my error checking and uploads a script (via my file upload), it'll be absolutely useless since script execution is disabled within the directory. This is VERY important for secure file uploading.
Includes directory This is very important. You don't want anyone (except the server) to have access to your included files directory. So disable access to it like this:
Remove SessionIDs from URLs If you're stepping up to XHTML 1.0 Strict, you'll find that in order to remain valid you'll have to add:
...to your forms to prevent the user's browser from adding it outside of it's nested element. Well, this will cause (usually on the first page load) the sessionid to appear in your URLs, which is very ugly and a potential security risk (although visitor sessionids are renewed after the user logs in... so, it's not that much of a threat). Anyway, you can prevent this with a few .htaccess techniques. There's 3 different approaches to this. Depending on your server's configuration one might work and the other two might not. This is what worked me: This should go in your root directory's htaccess...
Try it out, if it doesn't work, Google "prevent sessionid in urls" and try the other techniques. Mod-rewrite You can rewrite urls like this: This url:
Will become this url:
With this added to your .htaccess:
There are several other tricks you can pull with .htaccess but these are the ones I've found most useful. Edited by bustya, Dec 24 2008, 09:18 AM.
|
![]() |
|
| 1 user reading this topic (1 Guest and 0 Anonymous) | |
| « Previous Topic · Other · Next Topic » |






12:49 AM Jul 11