Note: “file” means “script file”
Most of the recommendations in this post are most suited for PHP scripts which are used as includes.
What type of security for a script file am I talking about?
- deny ability to read its raw text
- deny ability to know its file name and filesystem location
- deny ability to include the file in a script located on a different server.
Note that most of these security techniques will be ineffective if a hacker is able to plant and execute scripts on the server.
Put the File Outside the Web Directory
The include function can take as an argument an absolute file system URI. Which means you can include a file above the web server’s root directory.
This is good because if you put an include file over there then a user can’t access it directly by using a browser. In other words PHP will be able to access that file; But, HTTPd won’t.
Give the File Name a .php Extension
As long as PHP is running and the web server is configured to process
.php files using PHP then the user won’t be able to see the code which makes up your script. This code may contain information which a hacker can use to hack your website.
Use a Ping-Pong Variable
This is to prevent a hacker from including your script in his/her
own script. You do this by putting code in your include script to disable itself if a certain variable is not set to a specific value. This value will be set in the calling script before the include statement.
When I implemented this technique I had assumed that includes can use HTTP (not possible.) Also, although
fopen()can use HTTP, the web server would execute the PHP code rather than pass it along as raw text. However, I will continue to use this technique just in case it may help some day in some way which I have yet to understand.
Disable Indexing on the Web Server
Indexing is a feature of the Apache web server which allows a user to specify a URL which has a missing file specifier in order for them to receive a directory listing. If you don’t want the user to know the names of your script files then disable this feature.
Password Protect the File’s Web Directory
Here I’m talking about making use of
.htaccess to password protect a particular web directory. Generally, you don’t want to do this because your website has its own user access control system. However, for the case of include files you want to password protect their directories. The user has no need to access those files directly in the browser; And you don’t want them to be able to do so.