Link to home
Start Free TrialLog in
Avatar of efz
efzFlag for United States of America

asked on

Limiting web browsing to certain folders

At our company web site we have a folder where we keep information and executables that are used by our software. While we need to have our programs to have access to the folder and its contents, we’d like to prevent clever users from being able to type the address of a file directly into their browser and thereby downloading the file. Is there a folder property I could set at the web server that would accomplish this?
Avatar of gfdos
gfdos

if the files are stored on a linux infrastructure you would use the .htaccess file in the directory:
http://www.javascriptkit.com/howto/htaccess11.shtml

are you using linux or windows for your web server?
for windows check out this:
http://learn.iis.net/page.aspx/557/translate-htaccess-content-to-iis-webconfig/

specifically the section titled "Directory Browsing"
Avatar of efz

ASKER

Many thanks for your speedy response. Your suggestions seems like just what I need. If I understand correctly I insert the line

        <directoryBrowse enabled="true" />

in the web.config file located in the sites root folder. What I don't understand is how this command is applied to one folder in particular. Visitors should be able to browse most of the site, no? I only wish to preclude them from a particular folder. The "directoryBrowse" directive seems to apply to the entire site doesn't it?
Avatar of efz

ASKER

There's a typo in my earlier comment. The directoryBrowse enabled value is supposed to be "false".

When I inserted that line into the web.config file, I was unable to browse any page of the web site without getting an error.

What's the secret?
with linux you can change it at any level -- since it is handled by .htaccess file at each folder.

The default for windows is off at all levels, so its kind of strange it was on for you....
Normally you dont want people to be able to browse your web directories at all.

Note: " The enabled attribute determines whether directory browsing is enabled for the site, application, or directory."
(from http://www.iis.net/ConfigReference/system.webServer/directoryBrowse)
Yet it doesn't have any instruction on how to re-enable it for a specific application or directory.

The default accepted way is to disable is altogether.
Is there a application or directory you DO want browsing re-enabled for?
The below shows how to enable it for an individual directory

<configuration>
  <location path="special_directory_name_here">
   <system.webServer>
    <directoryBrowse enabled="true" />
   </system.webServer>
  </location>
</configuration>

more info here:
http://blogs.iis.net/bills/archive/2008/03/24/how-to-enable-directory-browsing-with-iis7-web-config.aspx

Avatar of efz

ASKER

I'm on a Windows server by the way.

I should clarify my problem. We store executable files at our site:

http://www.mysite.com/afolder/myfile.exe

I was not being precise when I used the term "browsing". What you say is true, users by default cannot browse the "afolder", however they can download the myfile.exe file by typing the following line in their browser:

http://www.mysite.com/afolder/myfile.exe

My problem is that I need to be able to allow our programs begin used in the field to access these files (as they currently have been doing), but not allow users to download them directly by simply typing the path to the executable. Is that possible?
ASKER CERTIFIED SOLUTION
Avatar of gfdos
gfdos

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Depending on what you are using them for, you could make the names of the .exe files less obvious, so someone couldn't GUESS the name of the file.... but if they know the file is called "lmnop.exe" they would be able to get it.....

Still "lmnop.exe" is less obvious than "myapp.exe"
Avatar of efz

ASKER

So be it. Please accept my sincere thanks for your help.