NotionCommotion Posted December 8, 2014 Share Posted December 8, 2014 I have a particular PHP file which is publicly located, however, I don't want anyone but me to access. Below are my thoughts how to do so. Please comment. Use an uncommon name, and definitely not index.php. Either include a file called index.html in the same directory, or set up Apache not to show them using Options -Indexes, or maybe both for good measure. Require some variable to be set to a given value in either the GET or POST array, and if not set, throw a 404 header and display the 404 missing file HTML. If user accesses page and is not logged on as determined by a session value, display a log-on page. Prevent indexing by either putting <meta name="robots" content="none" /> in the HTML, and using header("X-Robots-Tag: noindex, nofollow", true); in the PHP, or maybe both for good measure. Seem reasonable? Anything else? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/292969-how-to-hide-a-webpage/ Share on other sites More sharing options...
maxxd Posted December 8, 2014 Share Posted December 8, 2014 4 is good if you're planning on allowing other users to access the page later. If not, or even if it's only a small amount of other users, I'd personally just use Apache password protection with an .htaccess file. Quick and easy. Quote Link to comment https://forums.phpfreaks.com/topic/292969-how-to-hide-a-webpage/#findComment-1499023 Share on other sites More sharing options...
NotionCommotion Posted December 8, 2014 Author Share Posted December 8, 2014 4 is good if you're planning on allowing other users to access the page later. If not, or even if it's only a small amount of other users, I'd personally just use Apache password protection with an .htaccess file. Quick and easy. Definitely quick and easy, however, it doesn't hide the page. Quote Link to comment https://forums.phpfreaks.com/topic/292969-how-to-hide-a-webpage/#findComment-1499027 Share on other sites More sharing options...
kicken Posted December 8, 2014 Share Posted December 8, 2014 You shouldn't really focus too much on making sure nobody can find it. Just make sure that nobody can use it if they do without proper authorization. So long as you don't publicly publish any links to the page it will generally not get found/accessed. You can of course add the noindex directive to request search engines do not index it as well, just incase they happen to find it somehow. The important thing is that it does nothing unless the person has the proper authorization. You should be able to publish it as a giant CLICK HERE link on your home page without risk. All that said, what exactly does this script do? Can you move it out of the web root and make it completely inaccessible and still function? If it's for a cron job for example, it should be inaccessible from the web and run via php's CLI executable. Quote Link to comment https://forums.phpfreaks.com/topic/292969-how-to-hide-a-webpage/#findComment-1499030 Share on other sites More sharing options...
NotionCommotion Posted December 8, 2014 Author Share Posted December 8, 2014 All that said, what exactly does this script do? Various development and configuration tools. Currently, I have a bunch of scripts such as delete the database and rebuild it from scratch. Once in production, I will obviously not want that one! Other scrips are to modify the database to add a new page to the application. Currently, I have the scripts located in a non-public directory, and have a publicly accessible directory protected with an Apache password with contains PHP files with a single require('/var/www/private/some_file.php'). I want to clean it up and have one location to access all of them. Yes, I cold move them out of the web root, but don't want to currently. And I agree it should be robust enough so no one could do anything with it even if they found it, but what if I miss something? Adding a little to hiding it just seemed like an easy way to add some extra insurance. Quote Link to comment https://forums.phpfreaks.com/topic/292969-how-to-hide-a-webpage/#findComment-1499039 Share on other sites More sharing options...
hansford Posted December 9, 2014 Share Posted December 9, 2014 (edited) I put all files like that in a password protected directory. When I have to do site maintenance that requires a site be down for a specified period, I redirect all traffic to the "Scheduled Maintenance" page except my own IP address. And as mentioned, any directory or file that you don't want published to the world should be a noindex in the robots.txt file. Edited December 9, 2014 by hansford Quote Link to comment https://forums.phpfreaks.com/topic/292969-how-to-hide-a-webpage/#findComment-1499060 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.