General Website Security

If the URL is unique enough it is unlikely that a random person will find it but why not add a username and password for added security?

You could add something like this to your .htaccess file to require authentication by a particular user on the system:

AuthType Basic
AuthName "Authorization Required"
AuthUserFile /var/www/passwords
Require User tom

To create the authentication file /var/www/passwords with user tom in it:

htpasswd -c /var/www/passwords tom

(related link)

Here is a related link that claims that unsecured "secret" directories will most likely remain private as long as know one that knows about them publishes their location.

Trey Hunner

Posted 2010-05-10T15:42:31.517

Reputation: 1 825

1Just a thought when considering search engines, there are "evil" bots that specifically look inside robots.txt for places that are hidden in this manner. For personal files, it is really best to just not advertise they exist, and change the directory name periodically. – Goyuix – 2010-05-10T16:18:44.120

So a random directory cannot be found without knowing the name?

like there is no html command or server command they can send to list directories? – tcables – 2010-05-10T16:29:03.830

@Tom: Commands like these exist, but none through HTML or HTTP. If anybody gets FTP or SSH access to your server, then they could find the files, but they're fairly secure protocols, so they're only getting passwords if you give them out. – Phoshi – 2010-05-10T16:32:20.217

@Gouyuix: You're right. Bots or humans could very easily find the hidden directory by adding them to your robots.txt file. I'll take back that suggestion for security's sake. – Trey Hunner – 2010-05-10T16:40:06.657

General Website Security

Answers