Silver Posted September 15, 2011 Share Posted September 15, 2011 On page 173, a blank index.html page is suggested to be included in the products folder to prevent the server from providing to a nosy visitor a list of the folder's files. Why the products folder is singled our? Shouldn't we include a similar file in all the folders for full protection? Link to comment Share on other sites More sharing options...
Jonathon Posted September 15, 2011 Share Posted September 15, 2011 From memory isn't the products page the only one that's not outside the root? I haven't got the book to hand Link to comment Share on other sites More sharing options...
Silver Posted September 15, 2011 Author Share Posted September 15, 2011 No Jonathan. The products folder is among 7 folders included in the web root directory. The other folders being: admin, css, images, includes, js, and views. Link to comment Share on other sites More sharing options...
Jonathon Posted September 15, 2011 Share Posted September 15, 2011 Is it because it's the only writable folder then? Link to comment Share on other sites More sharing options...
AndrewT Posted September 15, 2011 Share Posted September 15, 2011 I believe that, for learning purposes, the other folders that require some form of security are secured via .htaccess. When you have an index.html file inside of a folder that contains just images, it isn't a huge thing because people won't be able to mess with your server if they happen upon some images. However for sections such as the admin you need more security. I could be totally off base with this though. This isn't to say that you can't put an index.html in the other folders if you would so choose to. It won't hurt anything I don't believe. Link to comment Share on other sites More sharing options...
Silver Posted September 15, 2011 Author Share Posted September 15, 2011 Yes Jonathon, it is the only writable folder, but is inclusion of index.html into the other folders good to do, or is considered belt and braces? are there technical or programming restrictions or advantages or disadvantages that arise from such inclusion? Link to comment Share on other sites More sharing options...
Jonathon Posted September 15, 2011 Share Posted September 15, 2011 I wouldn't say its a bad idea, but I think Larry's point is that with products being writable, people could be snooping through your files as if you just went to www.something.com/products/ it would list all the files. I persoanlly remove the indexing ability of folders that i don't want people to be able to look in even if they aren't writeable. Link to comment Share on other sites More sharing options...
Larry Posted September 16, 2011 Share Posted September 16, 2011 Yes, my focus was on the products folder being writable, so it needed to be secured better. There's no harm in doing this in other folders, too, regardless of the use of .htaccess files. Link to comment Share on other sites More sharing options...
Silver Posted September 16, 2011 Author Share Posted September 16, 2011 Many thanks Larry. Now my understanding on which folders to use blank index.html and .htaccess is shaping better, and I would throw these question to dig deeper. 1. instead of a blank index.html in the products folder, can .htaccess alone be included there? If no, why not? If yes, pls. provide a comparison of when index.html alone is included, .htaccess alone is included, both are included. 2. if we would include index.html AND .htaccess in all the folders (which i think you said there is no harm in doing so), would this has any impact on performace, usability, time, and money? How? 3. is there any additional resources about the usage of a blank index.html and .htaccess you might suggest which would deepen our understanding of how, when, and where they are used. Link to comment Share on other sites More sharing options...
Larry Posted September 16, 2011 Share Posted September 16, 2011 Hello Silver. I gather you're just trying to figure out these things and come up with the best, absolute rules possible, but it kind of feels like you're over-thinking this. Answers inline... 1. instead of a blank index.html in the products folder, can .htaccess alone be included there? If no, why not? If yes, pls. provide a comparison of when index.html alone is included, .htaccess alone is included, both are included. Yes and no. To use your analogy, we're talking belt and suspenders here. In Web security terms, that's a good thing. A blank index.html has the benefit of always working, even if .htaccess is not allowed or if the .htaccess stops working for whatever reason (such as a Web server configuration problem). .htaccess is a more professional approach, but depends upon .htaccess modifications being allowed and the Web server operating properly. Think of it like having a security system (.htaccess) but still locking your doors. As always with security, you have to make the decision that's best for your situation. 2. if we would include index.html AND .htaccess in all the folders (which i think you said there is no harm in doing so), would this has any impact on performace, usability, time, and money? How? Yes, there'd be an impact in terms of time and money, in that you'd have to spend the time (and the client, the money) to do both for all the folders. I would expect that would be entirely negligible. .htaccess does hinder the Web server's performance. If you're just looking at performance, it'd be best to never use .htaccess, meaning you either only use httpd.conf or a blank index.html file in this case. There would be no usability impact that I could see. 3. is there any additional resources about the usage of a blank index.html and .htaccess you might suggest which would deepen our understanding of how, when, and where they are used. A blank index.html document will take a couple of kilobytes of storage space, but I would argue that's negligible. .htaccess files do slow down a Web server's performance (because the server has to factor in all the .htaccess rules), but the general consensus is that's a sacrifice worth making. Link to comment Share on other sites More sharing options...
Recommended Posts