• 0

Prevent access to files using .htaccess


Question

Hi everyone,

I'm trying to use the .htaccess file to prevent type-in access to .js (javascript) files which are located in a /scripts folder

with:

<Files ~ "\.js$">
Order Deny,Allow
Deny from all
</Files>

I can block type-in access, but the pages cannot use the scripts. I add "Allow from 127.0.0.1" but no results.

I also tried:

Options +FollowSymlinks
RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://mydomain.* [NC]
RewriteRule .*\.(js)$ http://mydomain.com [R,L]

In this case, the scripts are functional, but the first time I type the location of .js file, I can get it open. Only when I refresh the page that I get redirected. I really can't understand why this happens...

I find this really useful to block hotlinks, but it's not always bloking type-in requests.

By the way, I have no access to apache configuration.

Any help would be appreciated.

Thanks

7 answers to this question

Recommended Posts

  • 0

The refer is the page/site that you came from to load the current page. When typing in the url, the refer i expect is going to be blank, however upon a refresh it seems that it is changed to the "previous" page displayed!

What your trying to do, afaik, isn't possible; however you go about trying to block access to the js files, they need to be sent to the browser, somehow, so it can use them, there's just no getting around it, however you do that, the code is going to have to be available to the browser for it to run it, and in doing so it automatically becomes accessible to the user too!

Think about it:

1) You could stick the js files in a dir outside of the web root, so they are inaccessible publicly, and then use a rewrite or php file to get to them, but that makes absolutely no difference...

2) You could encrypt them, and have a piece of unencrypted js that decrypts them and allows them to run; the average person couldn't see the code, but anyone with js skills could easily obtain a decrypted copy...

They have to be public one way or another, all you can do is make things a little more difficult, I'd just give up if I were you, it's not worth the effort ;)

  • 0

I utilize WHMCS which utilizes .TPL files.. The unfortunate part was that a user could access the filename.tpl file by typing it directly in (assuming they know the exact filename, which if you use the script, you know it..) Because of this when I was selling premium templates, some users were stealing it by simply manually going to all 40+ TPL files and seeing the hardcoded source..

To prevent them from access the TPLs BUT still allow them to be read by the server, I used the following:

 <Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

That sample tosses a 403 Forbidden when you access the file in any browser BUT the server can still access it. For example:

http://demo.mywhmcs.com/templates/portal/ -- This is a direct link to a template I'm not utilizing nor do I have it protected as it's a default template. Notice how you can see all TPL files (and others)

http://demo.mywhmcs.com/templates/macish -- This has an .htaccess file tossed into it preventing TPL files from being shown. Notice when you view http://demo.mywhmcs.com, you're able to view the site with NO issues despite the fact that everything is powered from TPL files.

BTW, ignore the **** design on there ;).

The reason why your snippet is not working is because the ORDER of the 1st line is crucial. You can read about it on apache.org. :)

Edit: Bah, I see it's for .js though--That's not possible, sorry! Same with not being able to do it with CSS, etc.

  • 0

As far as I know, if it needs to be downloaded to the client, you can't restrict direct access since that's how the browser will obtain it too, as theblazingangel said.

There are a couple of ways you could go about making it hard though:

  1. Try Google's "Closure" compiler which will optimize, and then obfuscate (as a result of optimization), your JavaScript and make it hard for humans to read. This is the easiest and probably the optimal solution.
  2. Try loading your scripts through a PHP file that detects whether or not the request was automated by the browser loading the script, or manual by a human trying to view it. I still don't know if its possible like this, but its perhaps worth looking into if you're THAT concerned.

  • 0

The key here is understanding the difference between server side and client side code. Server side code can - and should - be 100% hidden from the user. This includes PHP, .NET, and all that kind of stuff.

JavaScript, on the other hand, is like HTML and CSS. It needs to be read by the browser - and if the browser needs to read it, humans who are interested in reading it will be able to. There isn't a way to block access to JS files, because if humans can't access it, browsers won't either ;)

  • 0

Thank you all for the answers!

I thought there was some variable (like HTTP_REFERER) that saves the url from the address bar, so I could compare it, and if ends with .js or any other file i wish to prevent typed-in access, i redirect to an error page. If the request for the file came from the browser or the server, no action is taken.

This means i can't prevent typed-in access to .js .css .txt or image files that will be used by the browser?

  • 0
  On 30/05/2010 at 04:05, andressito said:

Thank you all for the answers!

I thought there was some variable (like HTTP_REFERER) that saves the url from the address bar, so I could compare it, and if ends with .js or any other file i wish to prevent typed-in access, i redirect to an error page. If the request for the file came from the browser or the server, no action is taken.

This means i can't prevent typed-in access to .js .css .txt or image files that will be used by the browser?

the referrer header tells you the page the user came from. in other words, the page they were previously on, not the current one.

it is extremely unreliable since it is easily spoofed (just like all browser headers), and very often is simply empty because a) the user didn't visit anything before your page; or b) more likely, their browser/security software is configured not to send any referrers, for privacy/security reasons.

for future reference, if you're writing anything that does anything at all, never rely on anything the user sends to you.

you can prevent type-in access to the files, but it's pointless since you will eventually be sending the whole content to the user anyways. say, for example, you put all your files in a directory that's forbidden to the public, and have a php script which reads the files and serves it back if a certain variable exists, and you set the variable in the index file. this way you've effectively prevented type-in access in the strict sense, but the php script is still giving the user an exact copy of the file. this is useful in some circumstances, but not very many, and it certainly won't protect the contents of your files. anything that you have to send to the user, can't be protected.

  On 31/05/2010 at 21:38, andressito said:

I can protect a folder or have a login check to a page, but I can't protect .js or image files from direct download, just hotlinks?

hotlink "protection" also relies on referrer headers, it's much more trouble than it's worth.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Is this for Black people only? You'd definitely think so from the ad.
    • I have it as an icon in the Start Menu. Close enough for when I need it.
    • Windows 11 Pro with a copy of Office 2021 Pro drops to all-time low price by Steven Parker Today's highlighted deal comes via our Apps + Software section of the Neowin Deals store, where you can save 86% on Windows 11 Pro (for 2 devices) + Microsoft Office Pro 2021. Upgrade your computing experience with Windows 11 Pro. This cutting-edge operating system boasts a sleek new design and advanced tools to help you work faster and smarter. From creative projects to gaming and beyond, Windows 11 delivers the power and flexibility you need to achieve your goals. With a focus on productivity, the new features are easy to learn and use, enhancing your workflow and efficiency. Whether you're a student, professional, gamer, or creative, Windows 11 Home has everything you need to take your productivity to the next level. New interface. easier on the eyes & easier to use Biometrics login*.Encrypted authentication & advanced antivirus defenses DirectX 12 Ultimate. Play the latest games with graphics that rival reality. DirectX 12 Ultimate comes ready to maximize your hardware* Screen space. Snap layouts, desktops & seamless redocking Widgets. Stay up-to-date with the content you love & the new you care about Microsoft Teams. Stay in touch with friends and family with Microsoft Teams, which can be seamlessly integrated into your taskbar** Wake & lock. Automatically wake up when you approach and lock when you leave Smart App Control. Provides a layer of security by only permitting apps with good reputations to be installed Windows Studio Effects. Designed with Background Blur, Eye Contact, Voice Focus, & Automatic Framing Touchscreen. For a true mouse-less or keyboard-less experience TPM 2.0. Helps prevent unwanted tampering Windows 11 Pro also includes a number of productivity-focused features, such as the ability to snap multiple windows together and create custom layouts, improved voice typing, and a new, more powerful search experience. Personal and professional users will enjoy a modern and secure computing experience, with improved performance and productivity features to help users get more done. Only on Windows 11 Pro If you require enterprise-oriented features for your daily professional tasks, then Windows 11 Pro is a better option. Set up with a local account (only when set up for work or school) Join Active Directory/Azure AD Hyper-V Windows Sandbox Microsoft Remote Desktop BitLocker device encryption Windows Information Protection Mobile device management (MDM) Group Policy Enterprise State Roaming with Azure Assigned Access Dynamic Provisioning Windows Update for Business Kiosk mode Maximum RAM: 2TB Maximum no. of CPUs: 2 Maximum no. of CPU cores: 128 Good to know: Length of access: lifetime Redemption deadline: redeem your code within 30 days of purchase Access options: desktop Max number of device(s): 2 (Use one activation key for up to 2 devices) Version: Windows 11 Pro Updates included Click here to verify Microsoft partnership For Windows 10 or Newer! Get All Essential Microsoft Apps for Your PC with This One-Time Purchase This is intended for families and small businesses who want classic Office apps and email. It includes Word, Excel, PowerPoint, Outlook, Teams, and OneNote. A one-time purchase installed on 1 Windows PC for use at home or work. Lifetime license for MS Word, Excel, PowerPoint, Outlook, Teams, & OneNote One-time purchase installed on 1 Windows PC for use at home or work Instant Delivery & Download – access your software license keys and download links instantly Free customer service – only the best support! Microsoft Office Professional 2021 (for Windows) includes: Microsoft Office Word Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office Outlook Microsoft Office Teams Microsoft Office OneNote Microsoft Office Publisher Microsoft Office Access Good to know: ONE-TIME PURCHASE INSTALLED ON 1 DEVICE Redemption deadline: redeem your code within 30 days of purchase Access options: desktop Full versions No subscriptions – no monthly/annual fees Version: 2021 Updates included Here's the deal: This Microsoft Office Pro 2021 + Windows 11 Pro normally costs $438, but this deal can be yours from just $54.97, that's a saving of $383. For full terms, specifications, and license info please click the link below. Use MSO5 when checking out for additional $5 off. Coupon Expires June 29. Get Microsoft Office Pro 2021 + Windows 11 Pro for just $49.97, or learn more Although priced in U.S. dollars, this deal is available for digital purchase worldwide. We post these because we earn commission on each sale so as not to rely solely on advertising, which many of our readers block. It all helps toward paying staff reporters, servers and hosting costs. Other ways to support Neowin Whitelist Neowin by not blocking our ads Create a free member account to see fewer ads Make a donation to support our day to day running costs Subscribe to Neowin - for $14 a year, or $28 a year for an ad-free experience Disclosure: Neowin benefits from revenue of each sale made through our branded deals site powered by StackCommerce.
    • I'm not a fan of the HP "Smart" app either, but it does work. I just wish I didn't have to log in to use it. HP Color LaserJet Pro MFP 4301
    • FocusOn Image Viewer 1.32 by Razvan Serea FocusOn Image Viewer is a fast, lightweight, and user-friendly photo viewer for Windows. It supports various image formats, offers basic editing tools, EXIF data display, and batch renaming. With a clean interface, slideshow mode, and easy navigation, it’s ideal for quickly viewing and organizing photos without unnecessary complexity or system resource usage. FocusOn Image Viewer key features: Auto Organize: Automatically sorts photos by date using your chosen template. Explorer View: Browse and manage images with thumbnails; includes basic edits like resize and rotate. Photo Editing: Crop, apply filters, correct colors, add borders or text. Non-Destructive Edits: Original images remain untouched. Photo Sharing: Post directly to blogs, Twitter, and Facebook. Email Support: Send selected images via email. Print Options: Print to fit paper size, preserve aspect ratio, or fit multiple images per page. Slideshow: View selected photos in a slideshow. EXIF Tools: View or remove EXIF data. Scanning: Import from TWAIN or WIA-compatible scanners. Set as Background: Quickly set any image as desktop wallpaper. Batch Rename: Rename images in bulk using templates. Resize Images: Resize with optimized or custom resampling methods, including multi-step resizing. Thumbnail Sizes: Choose from thumbnail sizes between 32–256 pixels. Format Support: Compatible with over 100 image formats. FocusOn Image Viewer 1.32 changelog: Added Ghostscript(AI, PDF) DPI option Fixed transparency issue when saving PDF document as image Other improvements and bug fixes Download: FocusOn Image Viewer 64-bit | Portable 64-bit | ~7.0 MB (Freeware) Download: FocusOn Image Viewer 32-bit | Portable 32-bit View: FocusOn Image Viewer Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
  • Recent Achievements

    • First Post
      Johnny Mrkvička earned a badge
      First Post
    • Week One Done
      viraltui earned a badge
      Week One Done
    • One Month Later
      serfegyed earned a badge
      One Month Later
    • Dedicated
      firey earned a badge
      Dedicated
    • Dedicated
      fettermanj earned a badge
      Dedicated
  • Popular Contributors

    1. 1
      +primortal
      655
    2. 2
      ATLien_0
      224
    3. 3
      Michael Scrip
      224
    4. 4
      Xenon
      147
    5. 5
      +FloatingFatMan
      144
  • Tell a friend

    Love Neowin? Tell a friend!