Where to store files on the server so that they are not accessible through the browser?
When reading the security questions and answers about allowing users to upload files to your server, some of the answers said to save the file in a browser-inaccessible location and "above document root".
If I had a site running in 'var / www /' like:
var / www / mysite / Index.html
Does "above the document root" above the MySite folder but still in the var / www folder, or does it mean in a separate location from var / www in general, somewhere else entirely on the server host filesystem?
Also, why does it make it impossible to access the file from the browser, makes it more secure? Thank.
source to share
I'm not too worried about moving certain files outside of the www folder at all, because if your www folder is vulnerable (via apache or other means), you have a number of other problems and those files are available anyway. Moving it outside the www folder also affects the portability of the application, as most hosting companies do not allow access outside of your user's www folder.
Including Override
in apache and placing a file .htaccess
with the following content in any folder you want to restrict:
Order deny,allow
Deny from all
Thus, your application is self-contained and portable.
Apache2.4 and PHP5.5 are further strengthened with respect to OS level access and execution issues, so I also recommend using the latest versions of these packages whenever possible.
source to share