You can use .htaccess to block all HTTP access to files, something like: <Files config.php> deny form all </Files>
On 10/12/2008, at 3:09, yeosteve wrote: > > Thanks everybody. > > I asked this dumb question partly because I was feeling dumb, but > mainly to show my class at Natcoll that they can get great help from > the community. It also came up because I have a client who has their > site on an Openhost shared server, and they tell me I can't store > files above the web root "for security reasons", so even my config > file with my database details has to be stored in the public_html > folder!! > > On Dec 10, 2:17 pm, Chris Burgess <[EMAIL PROTECTED]> wrote: >> yeosteve wrote: >>> If you go to google.com/robots.txt you can see all the folders they >>> don't want search engines to look at, so presumably if I was wearing >>> my black hat, I would start with this list of folders when looking >>> for >>> private information. >> >> http://www.robotstxt.org/faq/nosecurity.html >> >> Q: Surely listing sensitive files is asking for trouble? >> >> A: The real answer is that /robots.txt is not intended for access >> control, so don't try to use it as such. *Think of it as a "No Entry" >> sign, not a locked door.* If you have files on your web site that you >> don't want unauthorized people to access, then configure your >> server to >> do authentication, and configure appropriate authorization. Basic >> Authentication has been around since the early days of the web (and >> in >> e.g. Apache on UNIX is trivial to configure). Modern content >> management >> systems support access controls on individual pages and collections >> of >> resources.> Does anyone know of a way to prevent this file being >> read by browsers >>> while still allowing search engines access to it? Even as I write >>> that, it seems like a Very Dumb question. >> >> Google is a fantastic tool for black hats to find vulnerabilities, so >> making this information visible only to search engines isn't really >> helpful. Some quite innocuous Google Alerts I have set up, which were >> intended to keep an eye on my favourite tools in NZ, have reported >> vulnerable sites to me. >> >> And I don't even have a cool hat like Brenda. > --- Simon Welsh Admin of http://simon.geek.nz/ Who said Microsoft never created a bug-free program? The blue screen never, ever crashes! http://www.thinkgeek.com/brain/gimme.cgi?wid=81d520e5e --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
