• 0

Prevent access to files using .htaccess

Asked by andressito,

 Share

Question

Explorer

andressito

Posted
Posted

Hi everyone,

I'm trying to use the .htaccess file to prevent type-in access to .js (javascript) files which are located in a /scripts folder

with:

<Files ~ "\.js$">
Order Deny,Allow
Deny from all
</Files>

I can block type-in access, but the pages cannot use the scripts. I add "Allow from 127.0.0.1" but no results.

I also tried:

Options +FollowSymlinks
RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://mydomain.* [NC]
RewriteRule .*\.(js)$ http://mydomain.com [R,L]

In this case, the scripts are functional, but the first time I type the location of .js file, I can get it open. Only when I refresh the page that I get redirected. I really can't understand why this happens...

I find this really useful to block hotlinks, but it's not always bloking type-in requests.

By the way, I have no access to apache configuration.

Any help would be appreciated.

Thanks

7 answers to this question

Recommended Posts

  • 0
Grand Master

+theblazingangel MVC

Posted
  • MVC
Posted

The refer is the page/site that you came from to load the current page. When typing in the url, the refer i expect is going to be blank, however upon a refresh it seems that it is changed to the "previous" page displayed!

What your trying to do, afaik, isn't possible; however you go about trying to block access to the js files, they need to be sent to the browser, somehow, so it can use them, there's just no getting around it, however you do that, the code is going to have to be available to the browser for it to run it, and in doing so it automatically becomes accessible to the user too!

Think about it:

1) You could stick the js files in a dir outside of the web root, so they are inaccessible publicly, and then use a rewrite or php file to get to them, but that makes absolutely no difference...

2) You could encrypt them, and have a piece of unencrypted js that decrypts them and allows them to run; the average person couldn't see the code, but anyone with js skills could easily obtain a decrypted copy...

They have to be public one way or another, all you can do is make things a little more difficult, I'd just give up if I were you, it's not worth the effort ;)

  • 0
Grand Master

Cupcakes

Posted
Posted

I utilize WHMCS which utilizes .TPL files.. The unfortunate part was that a user could access the filename.tpl file by typing it directly in (assuming they know the exact filename, which if you use the script, you know it..) Because of this when I was selling premium templates, some users were stealing it by simply manually going to all 40+ TPL files and seeing the hardcoded source..

To prevent them from access the TPLs BUT still allow them to be read by the server, I used the following:

 <Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

That sample tosses a 403 Forbidden when you access the file in any browser BUT the server can still access it. For example:

http://demo.mywhmcs.com/templates/portal/ -- This is a direct link to a template I'm not utilizing nor do I have it protected as it's a default template. Notice how you can see all TPL files (and others)

http://demo.mywhmcs.com/templates/macish -- This has an .htaccess file tossed into it preventing TPL files from being shown. Notice when you view http://demo.mywhmcs.com, you're able to view the site with NO issues despite the fact that everything is powered from TPL files.

BTW, ignore the **** design on there ;).

The reason why your snippet is not working is because the ORDER of the 1st line is crucial. You can read about it on apache.org. :)

Edit: Bah, I see it's for .js though--That's not possible, sorry! Same with not being able to do it with CSS, etc.

  • 0
Grand Master

+Majesticmerc MVC

Posted
  • MVC
Posted

As far as I know, if it needs to be downloaded to the client, you can't restrict direct access since that's how the browser will obtain it too, as theblazingangel said.

There are a couple of ways you could go about making it hard though:

  1. Try Google's "Closure" compiler which will optimize, and then obfuscate (as a result of optimization), your JavaScript and make it hard for humans to read. This is the easiest and probably the optimal solution.
  2. Try loading your scripts through a PHP file that detects whether or not the request was automated by the browser loading the script, or manual by a human trying to view it. I still don't know if its possible like this, but its perhaps worth looking into if you're THAT concerned.

  • 0
Grand Master

Simon Veteran

Posted
  • Veteran
Posted

The key here is understanding the difference between server side and client side code. Server side code can - and should - be 100% hidden from the user. This includes PHP, .NET, and all that kind of stuff.

JavaScript, on the other hand, is like HTML and CSS. It needs to be read by the browser - and if the browser needs to read it, humans who are interested in reading it will be able to. There isn't a way to block access to JS files, because if humans can't access it, browsers won't either ;)

  • 0
Explorer

andressito

Posted
  • Author
Posted

Thank you all for the answers!

I thought there was some variable (like HTTP_REFERER) that saves the url from the address bar, so I could compare it, and if ends with .js or any other file i wish to prevent typed-in access, i redirect to an error page. If the request for the file came from the browser or the server, no action is taken.

This means i can't prevent typed-in access to .js .css .txt or image files that will be used by the browser?

  • 0
Grand Master

primexx

Posted
Posted

Thank you all for the answers!

I thought there was some variable (like HTTP_REFERER) that saves the url from the address bar, so I could compare it, and if ends with .js or any other file i wish to prevent typed-in access, i redirect to an error page. If the request for the file came from the browser or the server, no action is taken.

This means i can't prevent typed-in access to .js .css .txt or image files that will be used by the browser?

the referrer header tells you the page the user came from. in other words, the page they were previously on, not the current one.

it is extremely unreliable since it is easily spoofed (just like all browser headers), and very often is simply empty because a) the user didn't visit anything before your page; or b) more likely, their browser/security software is configured not to send any referrers, for privacy/security reasons.

for future reference, if you're writing anything that does anything at all, never rely on anything the user sends to you.

you can prevent type-in access to the files, but it's pointless since you will eventually be sending the whole content to the user anyways. say, for example, you put all your files in a directory that's forbidden to the public, and have a php script which reads the files and serves it back if a certain variable exists, and you set the variable in the index file. this way you've effectively prevented type-in access in the strict sense, but the php script is still giving the user an exact copy of the file. this is useful in some circumstances, but not very many, and it certainly won't protect the contents of your files. anything that you have to send to the user, can't be protected.

I can protect a folder or have a login check to a page, but I can't protect .js or image files from direct download, just hotlinks?

hotlink "protection" also relies on referrer headers, it's much more trouble than it's worth.

This topic is now closed to further replies.
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Ocenaudio 3.19.4

      By Copernic · Posted

      Ocenaudio 3.19.4 by Razvan Serea  Ocenaudio is a full featured, fast and easy to use audio and music editor. It is the ideal software for people who need to edit and analyze audio files without complications. Ocenaudio also has powerful features that will please more advanced users. To assist ocenaudio development, a powerful toolset of audio editing, analysis and manipulation called Ocen Framework was created. ocenaudio is also based on Qt framework, a well known library for cross-platform development. Cross-platform support ocenaudio is available for all major operating systems: Microsoft Windows, Mac OS X and Linux. Native applications are generated for each platform from a common source, in order to achieve excelent performance and seamless integration with the operating system. All versions of ocenaudio have a uniform set of features and the same graphical interface, so the skills you learn in one platform can be used in the others. VST plugins support Ocenaudio supports VST (Virtual Studio Technology) plugins, giving its users access to numerous effects. Like the native effects, VST effects can use real-time preview to aide configuration. Real-time preview of effects Applying effects such as EQ, gain and filtering is an important part of audio editing. However, it is very tricky to get the desired result by adjusting the controls configuration alone: you must listen the processed audio. To ease the configuration of audio effects, ocenaudio has a real time preview feature: you hear the processed signal while adjusting the controls. The effect configuration window also includes a miniature view of the selected audio signal. You can navigate on this miniature view in the same way as you do on the main interface, selecting parts that interest you and listening to the effect result in real time. Multiselection for delicate editions To speed up complex audio files editing, ocenaudio includes multi-selection. With this amazing tool, you can simultaneously select different portions of an audio file and listen, edit or even apply an effect to them. For example, if you want to normalize only the excerpts of an interview where the interviewee is talking, just select them and apply the effect. Eficient edition of large files With ocenaudio, there is no limit to the length or the quantity of the audio files you can edit. Using an advanced memory management system, the application keeps your files open without wasting any of your computer's memory. Even in files several hours long, common editing operations such as copy, cut or paste happen almost instantly. Fully featured spectrogram Besides offering an incredible waveform view of your audio files, ocenaudio has a powerful and complete spectrogram view. In this view, you can analyze the spectral content of your audio signal with maximum clarity. Advanced users will be surprised to find that the spectrogram settings are applied in real time. The display is updated immediately when altering features such as the number of frequency bands, window type and size and dynamic range of the display. Ocenaudio 3.19.4 changelog: Adds fallback fonts so every language and symbol displays correctly Improves autosave and session recovery stability Improves region navigation and display Fixes a crash when the level meter is used on displays with a scaling greater than 200% Fixes memory corruption when using the silence selection tools Fixes crashes when closing a file while effects are still being processed Fixes a freeze when applying effects to many files at once (macOS) Fixes crashes related to audio devices on Windows Fixes invalid file names when exporting regions whose label is used as the file name Other bug fixes and improvements Download: Ocenaudio 64-bit | Portable | ~40.0 MB (Freeware) Download: Ocenaudio for Linux and Mac OS View: Ocenaudio Homepage | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Hasleo Disk Clone 5.8.2.1

      By Copernic · Posted

      Hasleo Disk Clone 5.8.2.1 by Razvan Serea Hasleo Disk Clone is a free and all-in-one disk cloning software for Windows 11/10/8/7/Vista and Windows Server that can help you migrate Windows OS to another disk, clone one disk to another disk or clone one partition to another location quickly and efficiently. Completely Free Windows Migration and Disk/Partition Cloning Software Migrate Windows from one disk to another without reinstalling Windows, apps. Clone one disk to another and makes the data on 2 disks are exactly the same. Clone a partition to another location without losing any data. Easily adjust the size and location of the destination partition. Convert MBR to GPT or convert GPT to MBR by cloning. Creation of Windows PE emergency disk. Extremely fast cloning speed and multi-language support. Supported OS: Windows Vista/Server 2008 or later, fully compatible with GPT and UEFI. Hasleo Disk Clone 5.8.2.1 changelog: Fixed an issue that caused disk enumeration to fail Fixed an issue where WinPE created under Windows ARM64 26H1 did not work properly Download: Hasleo Disk Clone 5.8.2.1 | 32.3 MB (Freeware) Link: Hasleo Disk Clone Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Waymo recalls self-driving software after cars enter closed freeway work zones

      By ExecutiveFunction404 · Posted

      This got me thinking, would you rather a self driving car prioritise protecting its passengers or everyone else? I'd choose the one that keeps me and my kids safest. At some point, these cars have to make those choices already, don't they? Wonder if we have a way to find out what way they lean.
    • Google is opening the world's first AI museum in Los Angeles

      By excalpius · Posted

      The proportion (or number of iterations) has nothing to with this aspect of Copyright I am describing. In short, it doesn't matter how many times the manager tells you to change something or how. Your work product is always YOURS until and unless you then assign that to the person representing the client/company, usually for financial compensation -- either in salary or as a subcontract work for hire payment. if iterations determined copyright, then businesses would have learned to just keep making changes until they could claim they owned the copyright, without having to compensate the artist for their work. And that would be BAD. The only place where the amount of changes does have a role is in how much does a human modify a previous public domain work (from any source) before it is considered fair use or their own work, etc. For example, if a human makes substantial changes to a public domain (re: AI, by definition) work, then they can then claim that derivative work as their own...but NEVER the original version, of course. That's why anyone can make a movie about Dracula, for example, as long as it is based on the public domain novel, but not if they take new ideas from copyrighted movies made afterwards. As one of the people who personally advised the US Copyright Office on their recent ruling on these very issues, be assured that I specifically used the terminology precisely -- though I made it simple enough for laymen to understand it. If I made this confusing by doing so, I apologize. But, to be clear regarding your assumption that I would agree to your second statement that I quoted above -- the answer is NO. If AI does the work, no matter how much "direction" you give it, it cannot be copyrighted. All AI generated content is in the Public Domain and therefore the copyright cannot be assigned to ANYONE, even you -- until and unless substantial modifications are made to it BY A HUMAN BEING (yourself or a contracted artist/writer/etc.) and then that copyright on the derivative work is legally (in writing) transferred to you. This is a critical distinction. And it is important that people, especially AI sloppers, understand this. For example, YouTube is not paying AI slop generators for the copyright, etc. of their AI slop. What YouTube is doing is sharing AD REVENUE for permission to publish your AI slop. Copyright/ownership/rights never come into it. Importantly, that means that anyone can copy any AI slopware on YouTube, etc. and rehost it anywhere they want, even back on YouTube, and there is nothing legal that YouTube can do about it with regards to copyright protections, ownership, DMCA, etc. Anyone is legally free to use any AI slopware in any way they want. When this ruling was pending, I warned Disney legal of all of this before they did their OpenAI deal -- that it would literally dilute their entire IP portfolio forever. They ignored that warning for the PR and stock bump. But that is why, when the ruling came down last year, Disney quickly extricated themselves from that OpenAI deal, even eating the initial upfront fees -- followed closely by OpenAI ending their entire AI video generating business model. They adjusted their PR release dates to make this less obvious to shareholders, of course. Phew. I hope that this clears up the key distinctions for you and anyone reading. If you have any additional questions or even hypotheticals about AI and Copyright, please feel free to ask.
    • Windows 11 gets new audio improvements in the latest builds

      By wingliston · Posted

      Each of the devices displayed on this page now has a little volume meter next to it to show if there is audio actively playing. About time.

  • Recent Achievements

    • Collaborator
      ryansurfer98 went up a rank
      Collaborator
    • Week One Done
      Eurosoft10 earned a badge
      Week One Done
    • One Month Later
      Eurosoft10 earned a badge
      One Month Later
    • One Year In
      Skeet Campbell earned a badge
      One Year In
    • One Month Later
      Sharbel earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      554
    2. 2
      +Edouard
      188
    3. 3
      Michael Scrip
      78
    4. 4
      PsYcHoKiLLa
      74
    5. 5
      neufuse
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!