Securing my site...

[Alex Clarke]

Ok, I've read the security info in the docs folder, but I has a couple of questions regarding the best secutiry practices.

1 - When creating the default .htaccess file (that blocks direct access to .txt and .php files) is there a reason we do not simply block direct access to *.* (all files)?

2 - How can I prevent people from stealing my images from my images folder? Use a similar .htaccess method - like the above?

3 - I understand the use of "blank" .html files in certain folders. Would setting up a redirect (to my homepage) in these files be silly (security-wise)?

Anyone able to help with this?

[DrByte]

1. You still need to be able to access the .css and .jpg/.gif etc files

2. You can use a .htaccess method, but it can't be simply a *.xxx sort of mask. You need to check where they're coming from. There are published .htaccess methods to prevent image theft. I haven't seen one that works 100% reliably. If not done properly, even your customers will not be able to see your images.

3. Yes, you can do that if you like. It might be more advised to use an index.php that has a header() redirect that sends a 404-not-found or a 301-moved header so that folks don't keep attempting access to it

[Alex Clarke]

Thanks for the info.

Do you think you could explain how to create the index.php with the header a little more. I'm sure I can implement this fairly easiler... with a little help from the doc!

Thanks. :)

[DrByte]

PHP Code:

<?php
    session_write_close();
    header("HTTP/1.1 404 Page Not Found"); 
    header('Location: ' . 'http://' . $_SERVER['HTTP_HOST']);
    exit();
?>

[Alex Clarke]

Thanks for this.

I tried replacing all index.html files with the php code below and something strange happened... When accessing my site root the php code was being called, which meant that I couldn't progress through the site.

Do you know any reason why this is happening?

[DrByte]

if you had an index.html in the root of your site, you should not have touched it, as it is called before anything else is.

[Alex Clarke]

I don't recall touching this file. However, I did rush this so I better try it again.

Will post 2nd results soon.

[Alex Clarke]

Ok, I found the problem.

When adding the index.php file to the following dirs my site would forward to the root of my web server.

admin\includes\extra_configures

and

includes\functions\extra_functions

So I didn't put the files there!

I really like the way these files work, however, since they are php access is not granted to them (due to some .htaccess files). I would like to keep the .htaccess files there (for obvious security reasons), but is there a way I can bypass the restriction on .php files for inde.php only?

[DrByte]

You could use a metatag redirect in index.html instead.

Googling brings up these:
http://www.netmechanic.com/news/vol4/promo_no15.htm
http://webmaster.iu.edu/tool_guide_i..._metatag.shtml
http://webdesign.about.com/od/metata.../aa080300a.htm

[Alex Clarke]

I was thinking of using a metatag-redirect in the index.html files and probably will do now.

Thanks for the help. :)