Hand Stop Sign

Server-side includes - snippets of content that are kept as separate files, allowing their re-use on multiple pages – are particularly useful when developing a site . However, as they typically exist as files in a folder, they can be viewed in a browser, so long as the visitor can guess the right directory path. An example would be trying the following as a URL:

Site assets folder listIf I get the path correct, I can see a list of files in the browser window, and click on a file to see its content.

If the include files only contain static HTML, such as a re-used banners and site navigation, this is not a big deal. But it becomes a serious issue if the include file contains , most especially security information, such as a connection script. If a visitor can view a file directly to see username, password and domain information for your database, they can log into your server and get into all kinds of mischief. (Note that packages like DreamWeaver allow this by default).

Obviously you want to retain the ability of your own pages to read these include files; you just want to stop anyone else from getting into the folder. The solution is to create a .htaccess file with a special command line to restrict access. While it is possible to keep a single .htaccess file at the root of your site to control all access and server activity, for small sites I prefer the simplicity of writing an .htaccess file in each folder I wish to control. (Note that the includes folder is one of the few in which this technique should be used. Some clients with antiquated ideas about copyright and DRM might encourage you to apply the technique to the images directory of a site, but attempting to do so will likely impact your search index on Google.)

First, create the file. It has a very particular, and very special, filename: .htaccess (Note the position of the period at the start, and the lack of any suffix). This is a system file: under most conditions, it will be invisible to your operating system. (You may need to set your web development package of choice (DreamWeaver, Coda, etc) to ensue that the file is visible).

Then, write a single line in the file: deny from all

Finally, upload the .htaccess file to the includes folder on the server.

403 page exampleNow you will find that you cannot list the include folder content from the browser, even if you know the right path.

If you want a more elegant response than the default browser error, you can create a 403 page to display, very similar to the 404 (page not found) error page we have discussed earlier. The line added to the root .htaccess file will also be very similar:

ErrorDocument 403 notallowed.html

Photograph by Richard Clark, used under a Creative Commons Attribution-NonCommercial 2.0 Generic license

Enjoy this piece? I invite you to follow me at twitter.com/dudleystorey to learn more.