Where best to store images and video?
Currently I am storing video and images inside root directory using Apache. Yesterday however, I created a folder outside root directory and tested storing video there with below .htaccess to limit file types stored there to image and video. The .htaccess worked.
ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg
ForceType none
Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff
I then discovered this article that if I understand it correctly suggests it's safer to store outside root directory. But I must create image tag src=" separate php file to serve images, - instead of image or video address like I currently have". My guess is, this way keeps the image/video folder - address - hidden. Please shed some light on this for me.
http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853
1. If I store outside root directory, must I use php file instead of directory address in image tag src= attribute? That is, will just an image/video address in src= attribute work? I have not tested this.
2. If I am correct, my php page as is pings the server for every call to the database. There are multiple calls to the database on each page. Now If I add to that a php file (inside src= attribute) for every image on main page to deliver image addresses, and there will be 10 or more images, will this ping the server for each image address I seek? Assume I am building the next twitter. I want to be efficient.
3. With the above .htaccess in place, is the idea of storing outside root directory (over kill) and not worth the extra pings to the server? I read that google keeps images in a blob store. Maybe that's a clue.
Thanks for your advice.
ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg
ForceType none
Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff
I then discovered this article that if I understand it correctly suggests it's safer to store outside root directory. But I must create image tag src=" separate php file to serve images, - instead of image or video address like I currently have". My guess is, this way keeps the image/video folder - address - hidden. Please shed some light on this for me.
http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853
1. If I store outside root directory, must I use php file instead of directory address in image tag src= attribute? That is, will just an image/video address in src= attribute work? I have not tested this.
2. If I am correct, my php page as is pings the server for every call to the database. There are multiple calls to the database on each page. Now If I add to that a php file (inside src= attribute) for every image on main page to deliver image addresses, and there will be 10 or more images, will this ping the server for each image address I seek? Assume I am building the next twitter. I want to be efficient.
3. With the above .htaccess in place, is the idea of storing outside root directory (over kill) and not worth the extra pings to the server? I read that google keeps images in a blob store. Maybe that's a clue.
Thanks for your advice.
ASKER
Thanks for your response.
Are you saying it is a waste of my time because with the .htaccess above it is already pretty secure?
What other ways of doing it are you referring to?
Are you saying it is a waste of my time because with the .htaccess above it is already pretty secure?
What other ways of doing it are you referring to?
What is the purpose of what you are doing?
ASKER
I forgot to mention the purpose is to prevent someone uploading a php file descized as an image file. The above .htaccess forces type and stops php's from being executed.
And the purpose is also general security for matters I am unaware of.
And the purpose is also general security for matters I am unaware of.
Ermmm how could someone disguise an image file as a PHP file?
For a php file to go through the PHP parser it has to end in .php
Do you mean someone uploading the file and then browsing to it?
If so just use a normal folder under your root, add an .htaccess file to the folder and in the .htaccess add this
For a php file to go through the PHP parser it has to end in .php
Do you mean someone uploading the file and then browsing to it?
If so just use a normal folder under your root, add an .htaccess file to the folder and in the .htaccess add this
<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>ASKER
how could someone disguise an image file as a PHP file?
I read on this page that double extensions can get through. filename.php.jpg
https://www.acunetix.com/websitesecurity/upload-forms-threat/
My above htaccess should also prevent this if I read correctly here: Or at leased prevent the php file from being executed.
https://github.com/blueimp/jQuery-File-Upload/wiki/Security
I read on this page that double extensions can get through. filename.php.jpg
https://www.acunetix.com/websitesecurity/upload-forms-threat/
My above htaccess should also prevent this if I read correctly here: Or at leased prevent the php file from being executed.
https://github.com/blueimp/jQuery-File-Upload/wiki/Security
Ok, if you use the following in your .htaccess it will block everything that is not in the image list, even if they add another extension to it like file.php.xkd
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|jpeg|gif|png)$">
Order Deny,Allow
Allow from all
</FilesMatch>ASKER
Do you think I can add what you said to what I already have? Because I think there is additional security measures in what I have.
Order Allow,Deny
Deny from all
<FilesMatch "\.(jpg|jpeg|gif|png)$">
Order Deny,Allow
Allow from all
</FilesMatch>ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg|flv|mp4)$">
ForceType none
Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniffASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for your help. I will leave folder inside root.
2. See 3
3. Yes - waste of time - if this is as some kind of security measure to protect your content then you are just wasting your time to prevent it when it is in reality doing nothing to protect your content.
If you want to stop hotlinking to your content then there are other ways to do it.