Using .htaccess files to protect against unwanted snooping

[lieven23]

In zencart tutorials I read this:


8. Use .htaccess files to protect against unwanted snooping

In several folders, there are .htaccess files to prevent users from being able to browse through the files on your site unless they know exact filenames. Some also prevent access to any .PHP scripts, since it's expected that all PHP files in those folders will be accessed by other PHP files, and not by a browser directly. This is good for security. If you delete these files, you run the risk of leaving yourself open to people snooping around.


There are also some blank index.html files in several folders. These files are there to protect you in case your FTP software won't upload .htaccess files, or your server won't accept them. These only prevent directory browsing, and do not stop execution of .PHP files. It's a good alternative, although using .htaccess files in all of these folders is the better choice, for servers that accept them.


Suggested content for .htaccess files in folders where there is an index.html file but not yet an .htaccess file would be something like the following (depends on your server configuration):

#.htaccess to prevent unauthorized directory browsing or access to .php files
IndexIgnore */*
<Files *.php>
Order Deny,Allow
Deny from all
</Files>

#add the following to protect against people discovering what version your spiders.txt file is
<Files *.txt>
Order Deny,Allow
Deny from all
</Files>

What does zencart mean by that?

[Celtic]

I have an additional question in regard to this, if someone could help me out?

Following the above instructions, I have added:

#add the following to protect against people discovering what version your spiders.txt file is
<Files *.txt>
Order Deny,Allow
Deny from all
</Files>

into my /includes/.htaccess file.

Might be a silly question this, to someone who understands .htaccess, but if this is preventing browsers from accessing spiders.txt, won't it also stop the spiders from accessing spiders.txt too?

Cheers,
C.

[mprough]

If you do this

<Files *.txt>
Order Deny,Allow
Deny from all
</Files>

then the search engines (ALL) cannot request your robots.txt.

~Melanie

[Celtic]

If you do this

then the search engines (ALL) cannot request your robots.txt.

~Melanie

Melanie, thanks for confirming my suspicions. So are you saying that the above advice is wrong and that I should undo what it suggests?

And if the advice is wrong, then how do I 'protect against people discovering what version your spiders.txt file is'? And why do I even care if people can discover what version my spiders.txt file is?

[mprough]

Suggest you simply remove default text files and chmod 444 the ones you require.

~Melanie

[Celtic]

Suggest you simply remove default text files and chmod 444 the ones you require.

~Melanie

Not quite sure what you're telling me there Melanie.

All I'm really concerned about are the security implications. The instructions in the first post of this thread (copied from the security thread) tells me to protect my spiders.txt file.

I don't care much about other .txt files (unless I also read somewhere they could pose a security breach opportunity).

My question though is whether the proposed changes to .htaccess also prevent the spiders themselves from reading the spiders.txt file? (which the setting 'deny all' suggests)

Sorry for any confusion, and my long winded responses, but the original security fix doesn't even say what security is breached by people knowing my spiders.txt file version. It just seems common sense (I'm new to .htaccess) that 'deny all' should also block spiders, which I presumably don't want to do.

Thanks,
Celtic.

[mprough]

My question though is whether the proposed changes to .htaccess also prevent the spiders themselves from reading the spiders.txt file? (which the setting 'deny all' suggests)

Your spiders.txt is not requested by anyone except your Zen Cart.

~Melanie

[Celtic]

Your spiders.txt is not requested by anyone except your Zen Cart.

~Melanie

Aha! Thanks Melanie, exactly what I needed to know.

Much appreciated.
Celtic