file access from a webserver – obscuring enough?

Viewing 7 reply threads
  • Author
    Posts
    • #3735
      sixstringartist
      Participant

      I have a website that acts as a file server for another website but I only want users of the other website to access the files. My site is blank and has no mentioning of these files. Is that enough or is it possible for someone to get my website to tell them what files it has?

    • #23929
      BillV
      Participant

      Security through obscurity is not typically recommended.

      If the files are there, Internet-accessible, there will always be potential for someone to access them.

      If you only want Server A and Server B to share the files, I would suggest you look into some sort of PKI implementation to encrypt the data that’s shared so that only those servers can access it.

      BillV

    • #23930
      sixstringartist
      Participant

      The other server acts as access control, permitting only certain users visibility to the links to the files on my server. These users connect directly to me to stream the files. My only concern is if there is a way to make my server tell others exactly what the filenames are enabling them to d/l freely. Is that a possibility?

    • #23931
      Ketchup
      Participant

      I don’t see why someone wouldn’t be able to access the file on your server.  You didn’t mention anything that would prevent that. 

    • #23932
      sixstringartist
      Participant

      you are correct, anyone can download the files, but the links are embedded in another website with access restrictions. For this application, this is “enough” security for us so long as someone cannot easily get the server to reveal the files it has available for download. That is really what Im trying to determine. Im not an expert with apache so I dont know if what Im asking is possible.

    • #23933
      Anonymous
      Participant

      At the very least you could consider using basic HTTP authentication. This would require setting up a .htaccess and .htpasswd file on the webserver (assuming you’re using apache).

      http://httpd.apache.org/docs/2.0/howto/auth.html

      It’s worth having a look at basic auth since it’s fairly easy to get the hang of and implement.

      This comes with the caveat that it’s not a robust security mechanism but it’s much better than using ‘secret’ URLs. They can too easily fall prey to insecure anonymous FTP browsing (I’ve seen this on some ISPs), mod_speling (http://httpd.apache.org/docs/2.0/mod/mod_speling.html) and other common features and pitfalls.

      Jimbob

    • #23934
      timmedin
      Participant

      This would bump up the security a bit, but not totally prevent unauthorized access. If you edited your .htaccess file on the file server an only allowed access if the refferer was your other site.

      RewriteEngine On
      RewriteCond %{HTTP_REFERER} !^http://(www.)?yoursite.com [NC]
      RewriteRule .* – [F]

    • #23935
      Anonymous
      Participant

      @timmedin wrote:

      This would bump up the security a bit, but not totally prevent unauthorized access. If you edited your .htaccess file on the file server an only allowed access if the refferer was your other site.

      One thing to remember is that the referrer header is sent by the client i.e. the web browser. It therefore cannot be trusted as a security token. That said it is an additional barrier and I’m all for defense in depth  🙂

      Jimbob

Viewing 7 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?