3

I have a web folder with some PHP files that are hosted on my website (e.g. www.example.com/myfiles/my_file.php) that I access and trade information using ajax for a web app that I have.

How can I secure them against direct access and other invasions, and allow only me to access them via my javascript/PHP (of the web app)?

I don't want the user to need to type some kind of password. This auth has to be silent.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Lioo
  • 141
  • 3
  • 2
    Any app can be bypassed by using a proxy/sniffing network traffic and a bit of programming or a good automation tool. So you cannot rely on security through an app. – wireghoul Jul 25 '16 at 02:44
  • @wireghoul but how can I protect this files, allowing only me to acess them? Being that I can pass the credentials automaticaly without the user noticing? Something about editing the `.htacess` file? – Lioo Jul 25 '16 at 15:47
  • 1
    That would have to be a seperate question as it's far removed from your OP. But you cannot completely stop anyone from reverse engineer anything on the client side. – wireghoul Jul 26 '16 at 00:19
  • 1
    Storing content outside webroot only prevents direct access, it could still be accessed via a vulnerability like directory traversal, local file include or insecure direct object reference. But it would require site specific checks (code audit/pentest) to determine if any such vulnerability exists. – wireghoul Dec 14 '19 at 05:40
  • @wireghoul another vulnerbility is disclosing highly privileged login credentials or ssh keys by falling victim to a phishing attack or writing the information on post-it notes left near a computer someone can access while you are at lunch. Are these vulnerabilities less relevant than local file include or insecure direct object reference? Traversal is signficant when it is possible, but it is not possible in this case. – DanAllen Jun 02 '20 at 15:07

2 Answers2

1

If the secret files and PHP application is on the SAME server:

Put them outside of the "web home".

Eg, normally you have a directory like: /public_html/cgi-bin/file.php that maps to: http://www.example.org/cgi-bin/file.php

What you then, do, is to put these files above the public_html folder, like: /somesecretdb.db

The file /public_html/cgi-bin/file.php can then access somesecretdb.db by just opening ../../somesecretdb.db But the file won't be accessible from the "outside".

If the secret files and PHP application are on DIFFERENT servers:

Then you can use IP authentication, where you create an access or firewall rule, that only allows access to the file from the server hosting your app.

If the file server is intended to be only used by the PHP application server, you can configure the firewall at the file server, to only pass requests from the PHP application server to port 80.

If the file server is both intended for public usage (eg some files must be directly accessible for users) and private usage, you can instead configure the webserver, using .htaccess or configuration file, to tell it to disallow requests for private files unless the source IP is same as the PHP application server.

schroeder
  • 123,438
  • 55
  • 284
  • 319
sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • So, did you mean that I should create a file in the acessible dir, to acess the real files(funcionalities) that will be in a inacessible dir? The app and files are hosted in different servers, so how can I make this authentication? Can you give me an example? – Lioo Jul 25 '16 at 15:40
  • @Lioo As I said, the first part of answer is if they are hosted in same server. If they are in different servers, you need to use IP authentication. In the file-hosting server, you just create a access rule telling that only the IP of the app-hosting server may access the files. If the file-hosting server is ONLY intended for app-usage and not public usage, you could tell your firewall to only allow port 80 requests from the IP of the app-hosting server. Else you need to use folder-based rules inside the web server configuration to limit which IP can access which files. – sebastian nielsen Jul 26 '16 at 00:16
0

As per my understanding of your query, you want to block direct http request for your pages, and allow access only if via other php pages on maybe on local or remote location

This can be done via sessions and cookies. The cookies must be changed on a per response basis by sending new cookies in response header of each request.

Set a cookie, for example: AL = md5(allowed+request-time) on the pages through which you want the target page to be accessible and map them in session data. Then check on the protected page for the correct value of AL cookie in request with sessionvariable on the server. If it matches, then allow access, and remove the cookie when server the target protected pages.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Arjun sharma
  • 660
  • 3
  • 20