[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: avoid user direct accec *.html

On Tue, Apr 30, 2002 at 02:12:03AM +0800, Patrick Hsieh wrote:
> If I want to avoid user to directly access my .html files, say type
> the complete url in the browser, is it possible?
> In PHP, I can check the HTTP_REFERER to make sure connections
> originates from the same website. If the HTTP_REFERER is empty or not
> belongs to the same website, I can redirect the client to another
> webpage. However, when it comes to static .html or even .jpg files, is
> it possible to configure apache to avoid that situation?


you can't trust user-supplied data such as HTTP_REFERER for anything.

"security" based on HTTP_REFERER is as dumb as "security" based on IP
address.  it doesn't work, and it can't work (sorry, but "sort of works
sometimes in conditions completely outside of my control" does not
qualify as "works").

some browsers don't provide HTTP_REFERER, and some privacy-enhancing
proxies strip it from all requests.  in addition, it is trivially easy
for anyone to forge HTTP_REFERER in any request.

if you don't want static html (or any other file type) to be directly
fetchable by end-users then don't put them under your document root.

alternatively, use a real authentication method to restrict access.


craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: