doufen1933 2014-10-20 18:39
浏览 78
已采纳

修改.htaccess以拒绝访问文件夹,但仅允许从我的站点使用ajax访问特定文件

in my site "www.website.com" i have a folder with forbidden access using this .htaccess :

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
RewriteRule .* - [F,L]

Now i want to have access only from my site "www.website.com" to a specific PHP files using Ajax (POST). I have modify .htaccess like this:

RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://.*website.com [NC]
RewriteRule \.(php)$ - [NC,F,L]

But with this code i have access to all php files. I need to access only in *Add.php and *Edit.php . These files are in several subfolders. What should i do ? Is this the right way to do this?

  • 写回答

1条回答 默认 最新

  • dongmu6578 2014-11-04 23:31
    关注

    Well, after a lot of searching, reading and testing i conclude that the best way to secure a website that works using Ajax is:

    1 - Have only one (if possible) file like router.php that will "route" depending on the POST/GET navigation variables, using includes to files that are in sub-folders.

    2 - Except of SESSION-based authentication you could also implement Basic HTTP authentication and/or HTTPS (SSL) to secure user credentials when login. If you are not using HTTPs, you should use field or form encryption because in 'wire' all are in plaintext. I have found useful this http://www.itsyndicate.ca/jquery/

    3 - In every POST use Token-based Authentication with a token that is created from user credentials, send over with the request and then re-calculate and compare.

    4 - I have tried lot of combinations for using only one .htaccess in document ROOT but always something was missing, or miss-configured or not working as i expected. So, i found more simple to use one .htaccess in every sub-folder instead of one in the root. In sub-folders depending on what they contain's .htaccess should look like this:

    ### No Direct Access to All files ###
<IfModule mod_authz_host.c>
    Order Deny,Allow
    Deny from all
#   Allow from 127.0.0.1
</IfModule>

### One of the alternative ways with mod_rewrite ###
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^/]+)/.*\ HTTP [NC]
    RewriteRule .* - [F,L]
</IfModule>

### permit ONLY filetypes in a pattern ###
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} ^(.+)\.(css|js|gif|png|jpe?g|woff)$
    RewriteRule .? - [S=1]
    RewriteRule ^(.+)$ - [F,L,NC]
</IfModule>

    I prefer THE_REQUEST because this does not include any additional headers sent by the browser. This value has not been unescaped (decoded), unlike most other variables, and it has no point to spoof. I use skip [S=1] because i prefer to tell "If that then this rule not valid", so, in any other case the rule that "Denies" it is valid.

    5 - For extra security you can use code inside php files, implementing one of the methods described in this article: Prevent direct access to a php include file

    6 - Also, if you are Forbidding Image Hotlinking (and NOT only) described here , beware that referer can be spoofed!!

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)