Security Information and Review

Collection of security information and review

How to Protect Web Application Files

Author : Admin

When we build web application, all files in our web application becomes available for everyone. So, an attacker will try to find any holes in our web application or attack our data. How to protect sensitive file in our web application ..? In this discussion, we will learn step by step to protect our sensitive files in our web application.

The first step to control access to our sensitive file from visitor our web application with web server configuration. It’s assumed that we are using Apache web server and PHP as server side scripting.

When we create a large web application with PHP, there are many files with sensitive information. So, we must protect it from visibility on the web. One of the steps we can do is protect files, we keep our sensitive files in directories outside the web directory tree and access them in our web application with explicit paths. See following example.

1
2
3
4
5
6
 
	require_once ‘db_connect.conf’;
 
	# change code above with following code

	require_once/var/conf/sample_web/db_connect.conf’;

The second step that we can do to protect our sensitive file in our web application, using web server configuration file. It’s assumed we use Apache web server and we will protect our configuration file with .conf extension. We can restrict access to configuration files or other files using web server configuration directives. We can create a global configuration files, such as the following code bellow.

1
2
3
4
5
6
7
8
 
# add this configuration in httpd.conf
<Directory />
	<Files “*.conf”>
		Order deny,allow
		Deny all
	</Files>
</Directory>

The third step that we can do to protect our configuration file in our web application, we create an .htaccess file in the top directory of our web site like this.

1
2
3
4
5
6
 
# for .htaccess
<Files “*.conf”>
	Order deny,allow
	Deny all
</Files>

In this discussion, we learned various method, how to securing our web application. We can restrict access to sensitive data or configuration file, put our configuration file in outside of our web directory, use global configuration in our httpd.conf file and use an .htaccess file.

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
Nice article.
24 October 09 at 00:19
If you like this posts, please leave messages / comments.