Sorry for my stupidity, but this is driving me crazy, and I signed up just to ask this. I have a file (a javascript to be exact) that I want to ONLY be able to be viewed from the page it's executed on, but I want it to be forbidden to anyone who just types it into the URL. Can I do this with .htaccess? If not, is there any simple way to do it?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Forbidden File
- Thread starter hobosam
- Start date
If you dod not have access to httpd.conf directly, then yes, you can use .htaccess to enter the following code:
you would put this .htaccess file in the same directory as the script but not the same as the one from which the script is called. You would also use the real name of the page that calls the script. I used "thispageonly.html" just as an example. What the code does is tell apache to parse the allow statements before the deny statements and set the default state to deny. Then when it parses the "Allow from" statement, it only allows those requests that have "thispageonly.html" as the referer. In addition to page referers, it could also be a url, ip address or subnet. If this isn't what you want. You can also do the same thing using server side includes. However, this usually requires the page using ssi to have an extension of .shtml so it will be parsed correctly.
Code:
Order allow, deny
Allow from thispageonly.htmlyou would put this .htaccess file in the same directory as the script but not the same as the one from which the script is called. You would also use the real name of the page that calls the script. I used "thispageonly.html" just as an example. What the code does is tell apache to parse the allow statements before the deny statements and set the default state to deny. Then when it parses the "Allow from" statement, it only allows those requests that have "thispageonly.html" as the referer. In addition to page referers, it could also be a url, ip address or subnet. If this isn't what you want. You can also do the same thing using server side includes. However, this usually requires the page using ssi to have an extension of .shtml so it will be parsed correctly.
- Thread starter
- #3
Hi
I am confused, RhythmAce. In the [tt]Allow[/tt] directive's documentation the syntax says that it expects [tt]all[/tt], host name or environment variable test.
I think you want to write this :
hobosam, the above code is what you want, but please note, that your idea is stupid. Those people who disabled the Referer HTTP header or has a firewall which filters the header out, will not receive the JavaScript file. And anyway, only who does not want will not download, read, save, whatever, your script.
Read this FAQ, it gives a good explanation about protecting files on HTTP : FAQ253-6072.
Feherke.
I am confused, RhythmAce. In the [tt]Allow[/tt] directive's documentation the syntax says that it expects [tt]all[/tt], host name or environment variable test.
I think you want to write this :
Code:
SetEnvIf Referer [URL unfurl="true"]www\.yoursite\.com[/URL] requestok
<Files *.js>
Order deny,allow
Deny from all
Allow from env=requestok
</Files>Read this FAQ, it gives a good explanation about protecting files on HTTP : FAQ253-6072.
Feherke.
- Status
Similar threads
- Locked
- Question
- Locked
- Question