web security

Unless the webmaster disallows casual folder browsing on the web server, most of the contents of each folder can be listed in a browser pointing to that Internet address. This concept is easily demonstrable by typing most any website address into the address bar of an Internet browser and simply adding a forward-slash and this folder name to the address.

If the images folder of the website navigated to is not protected, a listing of all the files in the folder will be displayed. Any of the files in the resulting display may be right-clicked on and the ‘save as‘ option taken in order to save that file to a hard drive. In most cases websites will have an images folder, and this folder will not ususually be protected from casual browsing. If so, the entire contents of the images folder will be accessible to the public at large.

Depending upon file types, the files in an unprotected web folder may or may not be accessible; .php, .asp, and .aspx files are not accessible although .gif, .jpg, .bmp, .png, and other image files are fully accessible. Additionally, without folder protection in place, a hacker can make use of configuration files as well, such as config.inc and that could be where the websites database connection strings are held! Therefore, the database itself could become compromised.

There are primarily two methods of protecting web folders on an Apache Web Server:

  1. Placement of a redirect script in each individual web folder which requires protection.
  2. Making adjustments to the .htaccess file which will be applied to all website folders.

Placement of a Redirect Script:

A webmaster can follow these simple steps to add a redirect script to their web folders:

      Save the following in a file named index.php:


  • Upload the file into each web folder which needs protection. Finally,
  • Right-click on the file in your FTP program and CHMOD it to change the permissions to 755 so it will be executable.

Having done these actions the web folder will now be secured from casual browsing and its files protected.

The redirect script should be named index.php so it will execute when a user navigates to the folder it resides in. Place the file above into each folder which requires protection.

Adjusting the .htaccess File Rather Than Adding a Redirect Script:

In the root folder of the website there is a file called .htaccess. In it a line resides which reads:

Options Indexes

That text must be modified to read:

Options -Indexes

(If there is no line which reads Options Indexes then a line must be added that reads:

Options -Indexes

The new .htaccess file must then be saved and uploaded to the web server in text mode. Folder browsing on the website will then be disabled. If there is no .htaccess file found in the root folder, a simple text file must be created and saved. The file must be named .htaccess and the following lines must be added to it:

<Files .htaccess>

order allow,deny

deny from all


Options -Indexes

The additional lines protect the .htaccess file itself from being viewed.

The main method of protecting folders on an IIS server is just an adjustment to the application settings in the IIS snap-in. The website owner must simply ask their host to turn off directory browsing in the IIS snap-in for the directories of the website. If the website owner is serving out their own website and running their own server the steps to do this for oneself are:

  • enter IIS.
  • Right-click on the website and select Properties. In the application settings, make sure an application is
  • defined or click the button to define one and deselect directory browsing if that checkbox is selected.
  • Close Properties.

It is not necessary to restart the web server for this setting to take effect. This simple precaution can protect any website and possibly save the website owner’s entire online business from being hacked.

These two methods of folder protection are very often overlooked by webmasters. They comprise a very easy first line of defense against casual browsing, data loss, and even website hacking.

Controlling user access and authentication are the keys to securing a website using .htaccess.

A combination of methods should be used in order to build a good defense for website security.

Leave a Reply

Your email address will not be published.