Hiding files with Apache

Not all files on a webspace should be accessible by anybody on the Internet. There are many tutorials for protecting directories or files with a password using a .htaccess file, but some files need to be on a webspace, which shouldn't ever be served by the webserver. This is a simple how-to-protect them tutorial.

stop.pngThe very best way of hiding files is the simpelst: Place them outside the webservers directory! The is the most secure way, because a webserver can't serve a file that it can't find and at least Apache should be considered safe from ../../ attacks which might led to files outside the document root directory.

The files are still not safe against attacks to security leaks or buggy scripts which may allow attackers to read any file on the webservers filesystem, but it's much more unlikely that an attacker aims at your server than a user getting a secret file by accident.

The worst way is hiding a file using a secret long filename that "noone will ever guess". There are so many unexpected things which may lead to a file list being published... Simply don't do it.

All Apache servers hide files beginning with ".ht" by default - unless someone changed the configuration, but that's very uncommon. Neverless, always check that the file is unaccessible by trying to download it using a webbrowser yourself!

Other files may be hidden by using a .htaccess file. Create a new file named .htaccess (yes, there is a leading dot in front of the htaccess) located in the same directory where the file or directory lives, which should be hidden. Add the following lines:

<Files secret.key>
Deny from all

If you want to hide a directory, use the <Directory> tag instead of the <Files> tag:

<Directory secret_path>
Deny from all

Again: Verify your protection by trying to download the hidden file. You should get a Forbidden error message.

If the .htaccess lines don't work (and your file is still accessable), first check the name of the .htaccess file. Expecially Windows users often suffer from operating system problems. Try to create the file without leading dot, upload it to your webspace and rename it on the webspace to include the leading dot.

Still no Forbidden error? Your webserver may be configured to ignore .htaccess files or the Deny from all line. Contact your webserver administrator (typically your webhosting provider) and ask for help.


Noch keine Kommentare. Schreib was dazu

Schreib was dazu

Die folgenden HTML-Tags sind erlaubt:<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>