How to hide a webpage

[NotionCommotion]

I have a particular PHP file which is publicly located, however, I don't want anyone but me to access.  Below are my thoughts how to do so.  Please comment.

1. Use an uncommon name, and definitely not index.php.
2. Either include a file called index.html in the same directory, or set up Apache not to show them using Options -Indexes, or maybe both for good measure.
3. Require some variable to be set to a given value in either the GET or POST array, and if not set, throw a 404 header and display the 404 missing file HTML.
4. If user accesses page and is not logged on as determined by a session value, display a log-on page.
5. Prevent indexing by either putting <meta name="robots" content="none" /> in the HTML, and using header("X-Robots-Tag: noindex, nofollow", true); in the PHP, or maybe both for good measure.

Seem reasonable?  Anything else?  Thanks

[maxxd]

4 is good if you're planning on allowing other users to access the page later. If not, or even if it's only a small amount of other users, I'd personally just use Apache password protection with an .htaccess file. Quick and easy.

[NotionCommotion]

4 is good if you're planning on allowing other users to access the page later. If not, or even if it's only a small amount of other users, I'd personally just use Apache password protection with an .htaccess file. Quick and easy.

 

Definitely quick and easy, however, it doesn't hide the page.

[kicken]

You shouldn't really focus too much on making sure nobody can find it. Just make sure that nobody can use it if they do without proper authorization. So long as you don't publicly publish any links to the page it will generally not get found/accessed. You can of course add the noindex directive to request search engines do not index it as well, just incase they happen to find it somehow.

 

 

The important thing is that it does nothing unless the person has the proper authorization. You should be able to publish it as a giant CLICK HERE link on your home page without risk.

 

All that said, what exactly does this script do? Can you move it out of the web root and make it completely inaccessible and still function? If it's for a cron job for example, it should be inaccessible from the web and run via php's CLI executable.

[NotionCommotion]

All that said, what exactly does this script do?

 

Various development and configuration tools.  Currently, I have a bunch of scripts such as delete the database and rebuild it from scratch.  Once in production, I will obviously not want that one!  Other scrips are to modify the database to add a new page to the application.  Currently, I have the scripts located in a non-public directory, and have a publicly accessible directory protected with an Apache password with contains PHP files with a single require('/var/www/private/some_file.php').  I want to clean it up and have one location to access all of them.

 

Yes, I cold move them out of the web root, but don't want to currently.  And I agree it should be robust enough so no one could do anything with it even if they found it, but what if I miss something?  Adding a little to hiding it just seemed like an easy way to add some extra insurance.

[hansford]

I put all files like that in a password protected directory. When I have to do site maintenance that requires a site be down for a specified period, I redirect all traffic to the "Scheduled Maintenance" page except my own IP address. And as mentioned, any directory or file that you don't want published to the world should be a noindex in the robots.txt file.

Edited December 9, 2014 by hansford