Hi, Recently I discovered in my website, that there is a severe lack of security on the folders below the root.
This surprised me because my server connects all have Security Restrict applied, and all by Client Pages have Security Provider applied, as per the wappler recommendations. So to find that my web folders are still exposed, is not so good.
This means that files that I upload via my new File Upload page, are completely exposed, which is unacceptable. Note, my website exists on a web host so there is no chance of changing settings on the web server.
I have seen Teodor’s, and others, recommendation to restrict access to the folders by modifying the .htaccess file with the lines…
deny from all
or
RewriteRule ._files. / [NC,F]
or
Order allow,deny
So the questions are…
Do these lines in .htaccess protect the root and all files below the root?
What are the merits of each of those lines?
Do any of them protect against ALL forms of access to the files, not just through a web browser?
How does this technique compare to DigitalOcean’s S3 or AWS’s S3?
I have just read reviews about DO’s S3 and AWS’s S3, DO seems more attractive and easier to understand. But DO glaringly omits any claims about security.
Therefore, is strong security a feature of DO’s S3?
Well that is how your web server is configured. Usually you can enable or disable this behavior (folder browsing) in your hosting control panel.
If not, to disable this just add the following line to your .htaccess located in the site root:
Options -indexes
This will display a forbidden message when someone tries to access your folder.
Not sure why would your hosting allow this by default.
Hi Teodor, thank you again, I will add the line. Modifiying the Apache server settings with your above line in .htaccess will suffice i hope for good security.
On my web host’s cpanel they do have a utility to control privacy (meaning security) but they warn in their documentation that the privacy settings will not apply if the intruder uses FTP, SFTP, WebDisk and so on, only protects against web browser access, so that was disconcerting.
Anyway, once I have applied your line above to .htaccess, how would you rate the security of the site to protect uploaded files, v’s uploading the files to DigitalOcean S3?
Hi Bruce, the solution i provided will fix the following problem you reported:
which means that if anyone navigates to https://yoursite.com/image_uploads no files will be exposed. A forbidden message will be displayed:
That is pretty much a standard warning... nothing to worry about. Of course if anyone knows your ftp details they will have access to the uploaded files. Same as if anyone knows your email login details
Teodore, that is very reassuring. I think I was gradually thinking my way to that conclusion as well.
To give some background, the client whom I am doing this for is a health company. Privacy of patients data is paramount .
I think you are saying that tightening up security on my web host folders by modifying .htaccess is as good as using DigitalOcean S3 for file security. Therefore there is no need to use DigitalOcean.
I was discussing the issues with my client today, and the thought of eventually hiring a security expert was raised, which I would not object to, to check that the web site is secure. I have implemented all the security recommended by Wappler, should be enough?
If the website is not secure for whatever reason the client may wish to migrate to AWS, Google or Azure. If Azure then I would have to swap from MySQL to MSSQL.
But this is the beauty of Wappler. I know that it can handle all of that. What other nocode could manage that, and I scanned a lot of nocodes and tried a few reasonably seriously before choosing Wappler.
The security applied with Wappler - i.e. security provider, login, securing server action is just fine, you can be sure.
The things like this issue with your hosting i.e. folder browsing is not something that Wappler can fix or change. That’s just your hosting configuration. And usually these things are not allowed. Also you may want to disable direct linking to your files - so they can’t be accessed like https://yoursite.com/files/some_file.pdf - it’s been discussed in the community and is also done using the .htaccess
