Dear Friends,
I would like to ask you how you protect your folders. I m not talking about security pages, but to protect folders like
www.domain.com/dmxConnect/api etc etc
I m new for this but I noticed that I need to make some protection.
Using .htaccess?
some suggestions ?
First it depends of what you want to secure.
All server connect actions are Php files that get executed so nobody will ever see their code - just the results.
This brings us to the second point what data you want the public to see?
If you are a public site then it is all fine, you should show all data as you need it on your pages as well.
However if you have restricted areas on your site, for example behind security provider login, it is also logical to secure the data feeds ( Server Connect api files) that are used.
Happily that is very easy to do by including a security provider restrict step in them as first step. So the same login as used to secure your pages with security provider is also used for the separate server connect app calls.
And everything is perfectly secured 
Thank you very much for your replies.
I already protect security step.
But if I do in the Browser:
http://domain.com/dmxConnect I got all the list of files in the folder. I would like to avoid it.
This is because I have an application that create folders for each agent and agents upload their documents.
unfortunately if I do in browser
domain.com/secure_area/file_storage
I got all the list of folders an I can download all the uploaded files.
That s what I would like to protect. And after I 've seen it I try doing dmxConnect and saw all folders with all files listed.
You can hide the list with a server setting, or you can add an empty blank index.html or index.php page in each folder
If you are using an Apache server, you can disable indexing with the .htaccess file.
Empty htm file is not really a solution especially with many dynamic folders
ah you just need to disable directory listing on your web server. Usually this is disabled I wonder how you enabled it at all as it is a very bad thing to have on a live web site.
See:
Sorry @updates if i had understood that your server was showing the directory listing i could have actually helped you, my bad. In South Africa most hosting companies seem to leave this on and i always start off turning that off in my .htaccess file and setting php commands in a .user.ini file too.
You could allow only connections from your originating domain to access the directories using .htaccess:
SetEnvIfNoCase Referer EXAMPLE:COM internal
SetEnvIfNoCase origin EXAMPLE.COM internal
order Deny,allow
Deny from all
allow from env=internal
Drop this in to your .htaccess file in to directories as required. Remember to set your domain name obviously.
Hope that helps.
A more secure alternative is If the data is high value or confidential in nature I’d highly recommend encrypting it prior to uploading. Then uploading/storing it on a white-list protected User area with strong enforcement. We do this by implementing a self hosted VPN (Open VPN) with Users granted specific dedicated I.P addresses and permissions. Upon access these IPs/Users are then directed to their respective secure area. All other connections outside of these IPs are ignored and a log file is then created. Some clients demand a little more security than others…