There is always room for extra security for your website. So I thought I would share a few tips for you, so you can tighten up your website’s security Today!
We will be using .htaccess files in this tutorial and we will be referring to an Apahce HTTP Server, so before continuing, please note: Always make sure you backup your .htaccess file before making any changes! If you experience a 500 Internal Server Error wehen accessing your website via http, this often suggests a corrupt .htaccess file.
Tip 1: Prevent Indexing
When a server ‘indexes’ a directory, it basically shows a white page with a heading of “Index of ” and then the current directory, contents and server information.
We basically have two options, the first would be to create a php script and place that in the directory we would like to prevent indexing on.
So let’s create a script titled “index.php” and add the following to its contents:
<!--?php // nothing to see here.. ?-->
Note: We could add anything in our php comment, just as long as we add some comment (I like to add comments, as it looks better than an ’empty’ script).
Place this ‘index.php’ script inside a directory that you want to prevent indexing for.
You should now see a blank page when you access this directory via http, rather than the index of that directory.
This is a very simple trick that can be very effective when used in the right places.
Our second option is preferred, by using the .htaccess file in your root web directory we can essentially do the same thing with one line of code. If you don’t already have a .htaccess file in your root web directory, go ahead and create one. If you do already have a .htaccess file in your root web directory, make sure to back it up before making any changes.
Add the following to your .htaccess file:
That should prevent the indexing of your directories.
Preventing indexing could also mean the difference between an attacker knowing exactly what directories are located on your server (including the file names and paths) and the same attacker having no idea of what is on your server.
Tip 2: Server Signature
We can turn off our server signature, so an attacker won’t easily be able to tell what server we are running. We can do this by adding the following to the root .htaccess file:
Tip 3: 403 Error Page
We all know what a 404 error indicates; resource not found. But a 403 error indicates that there is something there, but the server has been configured to deny access to it. So, when an attacker reveives a 403 error message, they know that there must be something there worth hiding or protecting. So, we can essentially trick the attacker into thinking that they have received a plain old 404 error. We can do this by adding the following to the root .htaccess file:
ErrorDocument 403 http://example.com/404.html
Where 404.html would be your standard 404 error page.
BONUS: Privacy Tip
There are times where you only require a specific group of users to access a file or directory. We can lock down a directory by creating a .htaccess file in the directory that you would like to prevent the public from accessing and place the following into the .htaccess file:
Order deny,allow Deny from all Allow from your.ip.here
You would change ‘your.ip.here’ to the actual IP address that you wish to allow http access from. Note that this is only productive when the allowed users (IP is allowed) have a dedicated IP address that they will be accessing the directory from, other wise a dynamic IP will continue to change and end up disallowing the group of permitted users.
I hope you found this resource useful!