I am currently building a website in Webmatrix and right now users can access images and files on the server, like this:
localhost:8080/uploads/images/64/facebook_64.png
How can I do it so they cant access these files.
I it helps I am writing in Javascript , CSS and HTML and I won't work with PHP if it is not really necessary.
Add a .htaccess file in the top folder that you want no one accessing with the following
order deny,allow
deny from all
allow from 127.0.0.1
Note: This means that you also won't be able to show them to users using img tags or any other method that requires the user to send a request to the image. However, the server can still use them.
You can't.
Not if your site is only going to use client-side technologies like html, css and javascript.
Any asset that you will need for your site, will be fetched using a http request and if your site / application can do that without any server-side technologies / authentication, so can any user.
You need a server-side technology like for example php if you want to use assets in your site while not making them publicly accessible.
Related
I have AngularJS (1.2.16) application which works on Tomcat 8.0.x I need to add following feature: create a new tab in the application (no problem) and allows to user to select concrete from select box on previously implemented new tab, file from HDD (directory is given but outside from Tomcat) and preview (PDF file). How to connect those two worlds? I have backend also.
I have found very similar question- Simplest way to serve static data from outside the application server in a Java web application but I do not understand how to get in UI a list of files from given dir. There are any best practices on that?
EDIT: I have found also possible duplicate, so you suggest to serve all files under URL? Is it safe? Is it the only one solution?
Security considerations
Providing read/write access to a filesystem folder from an application server is always a bad practice.
It should be considered if the web application will be accessed from internet.
In case we need to handle this kind of situation the better think to do is to understand which information we need to have and to modify, and wen wrap those information inside a specific API that allow to work on strictly what we need.
Or we could have an operation approach which consists in the hardening of the server and the folders that should be accessed in a way that any threat will be contained.
The solution part
This answer was proposed for duplicate of: Simplest way to serve static data from outside the application server in a Java web application.
But this part just explain alf of the requested solution.
The answer here explain how to configure an extension of the default servlet from a custom folder in Tomcat:
You have to act on the conf/server.xml:
<Context docBase="/path/to/files" path="/files" />
Here you configure a folder in a way that Tomcat will access, and connect it to a path that could be requested on the HTTP requests (http://mytomcatserver/files/).
Now you need to configure the web.xml to connect a specific servlet to this path, to be able to handle the folder content.
Once you have your servlet and your Tomcat properly configured it's time to access the folder and files.
This could be done as explained int the answer Display list of files in webpage using servlet.
In short, you cold access the folder with plain java:
File filesFolder = new File(req.getSession().getServletContext().getRealPath("/files"));
And then with the method File.listFiles() you could get the list of files in the folder.
With File.listFiles() you could also add filters that allow you to hide files you don't want the user could access.
I am developing an web page (html5) for my graduation project. In the web page the user would provide "body type" and based on the input various garments's images would be pulled from database and displayed on the page.
I am not a technical student so failing in my database connection efforts.
I have index.html page, a .mdb db (ms access 2007) and using js to connect to the .mdb. I also installed the "Microsoft Access Database Engine 2010 Redistributable". Then too failing.
Kindly mention what I am missing.
HTML pages are mostly accessed via a Server (IIS, Apache,..) and the data work is done by the server, on the server (AKA ServerSide programming)
So first consider if your project is intended to be accessed this way or only locally / standalone to your very computer.
If you only want a local page, there might be a solution here : http://accessdb.sourceforge.net/
But I bet it only works on IE through ActiveX
Read this : Read and write to an access database using Javascript
Also : why MSaccess ? If you really try to manipulate data locally using JS, try SQLite, there should be many library for JS like this one : https://github.com/lovasoa/sql.js
or why not... the HTML5 webstorage objects, that could be pushed far
http://www.w3schools.com/html/html5_webstorage.asp
I think you have got it all wrong! The short answer is you can not. And that is because your design is wrong. You can not* directly connect form html5 / javascript to a database.
Back to the basics.
You will need server side scripting to read the database content and expose them to the client (javascript) or to embed directly the result to html5 (while server is building the page).
You need to take a look to the following technologies
java / Jsp
c# / aspx
Those will help you to read the db file on the server side. Then as I said you will need to find a way to expose that information to your web page. As a side note, those are not the only server side scripting technologies, but are the one (IMHO) the can read an access file.
So look into that direction you will find a lot of resources to help you.
*The truth is that you can, but this can be considered an 'advance' issue.
I'm using adobe business catalyst to build a site. and it doesn't allow to use PHP and I can use just HTML,CSS,Javascript. and I need to add PHP API to my site. but directly, I can't do that. Is there anyway to do that like using iframes ?
PHP is a server side programming language. So just adding php tags to your CMS content absolutely does nothing.
Of course you could deploy some php code somewhere else and then use an iframe to display that page within your content in your cms.
Or, if you have control over the http headers of whatever php you want to serve from another server, you could use AJAX to get the information. Note that using AJAX to grab information from another server requires you to use CORS to bypass the security limitations of Javascript (same origin policy).
If all this does not ring a bell, you probably should not do it.
I have a Django installation that I would like to run multiple variations of the same site: same data, different static content, with an ultimate goal of demonstrating XYZ as implemented with various JavaScript frameworks. I would like to have different home pages load, and those pull their own distinct static content. (All intended projects are SPAs.)
I tried the solution at How can I get the domain name of my site within a Django template?, but on my system the incumbent site doesn't give a hostname of 'pragmatometer.com'; it gives a hostname of 'localhost:8000', because Django / Gunicorn is serving up pages as localhost. I tried specifying in /etc/hosts that pragmatometer.com is 127.0.0.1 and having Apache proxy to pragmatometer.com, but that resulted in an error. That leaves open the prospect of running separate hosts on different ports, which should be proxied as distinct, or making the homepage redirect to a URL-specific landing page, a solution which would sacrifice the clean URL of xyz.pragmatometer.com to demonstrate the XYZ framework implementation. I'm seeing multiple ways of duct taping it with JavaScript, only one or two of which I would want a future boss to see...
I would ideally like to have multiple (sub)domains' root URL's pulling a subdomain-specific homepage and the /load/*, /save/* etc. consistent across them. I would also like to have the root URL's pulling their own CSS and JavaScript, but that's easy enough if I can get the root URL working appropriately.
The best solution I am seeing so far is having separate server processes listening on the same IP, but having isomorphic servers running on different ports and proxied by different Apache VirtualHosts. Either that or having JavaScript detect the URL and overwrite the page with the "real" index for the domain, which has a bit of a smell.
Comments about a better solution or how to execute the above intent well?
--EDIT--
Or another approach which might be a little cleaner:
Have a home image that loads the contents of /framework/ for each framework, and then document.write()s it after the page is loaded enough for a document.write() to clobber existing page contents.
If I used jQuery to clobber and load a page in this fashion, would it leave behind any pollution that would interfere with frameworks working appropriately?
Your stack looks kinda crazy.
You want one webserver with Django which can be accessed by multiple domains. Each domain causes the Django application to serve different content. Did i understand you correctly?
If yes, maybe you are successful by replacing Apache by Nginx. It can resolve the requesting hostname and decide how to redirect the request:
What's the difference of $host and $http_host in Nginx
Multiple Domain Hosting With One Django Project
Update
Relevant nginx documentation for distinguishing between different hostnames:
http://nginx.org/en/docs/http/request_processing.html
http://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
Relevant nginx documentation for adding request headers:
http://nginx.org/en/docs/http/ngx_http_headers_module.html#add_header
Also see this answer:
Adding and using header (HTTP) in nginx
I have built a vb.net web application. I have tried to make it secure, with all users requiring a password to get in.
The only problem is that if anyone can guess (or detect using some kind of hacking tools) the url of the javascript file, they can download it and read it, without even having to log in first.
Is there any way that this can be prevented?
If the javascript file is not required as part of the logon process, then you can secure the file on the server so your users need to be authenticated and authorized in order to access it. This will prevent unauthorized access. Approaches to securing this file include using file system Access Control Lists (ACLs - 'Windows file permissions'), or using the "authorization" element in the ASP.NET web.config.
If the javascript file is required as part of the logon process, then you've got to give anonymous (unauthenticated) accees to the file, in which case you cannot prevent people being able to download it.
Don't serve the JS file up to people who haven't authenticated.
I don't known ASP.NET well enough to say what the best approach would be, but worst case is you stick it in a .aspx file, do the auth/authz stuff at the top, then set the right content type and serve it.