[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Where best to store images and video?

Posted on 2014-08-12
10
Medium Priority
?
228 Views
Last Modified: 2014-08-12
Currently I am storing video and images inside root directory using Apache. Yesterday however, I created a folder outside root directory and tested storing video there with below .htaccess to limit file types stored there to image and video. The .htaccess worked.

ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg|flv|mp4)$">
    ForceType none
    Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

I then discovered this article that if I understand it correctly suggests it's safer to store outside root directory. But I must create image tag src=" separate php file to serve images, - instead of image or video address like I currently have". My guess is, this way keeps the image/video folder - address - hidden. Please shed some light on this for me.
http://www.creativebloq.com/web-design/website-security-tips-protect-your-site-7122853

1. If I store outside root directory, must I use php file instead of directory address in image tag src= attribute? That is, will just an image/video address in src= attribute work? I have not tested this.

2. If I am correct, my php page as is pings the server for every call to the database. There are multiple calls to the database on each page. Now If I add to that a php file (inside src= attribute) for every image on main page to deliver image addresses, and there will be 10 or more images, will this ping the server for each image address I seek? Assume I am building the next twitter. I want to be efficient.

3. With the above .htaccess in place, is the idea of storing outside root directory (over kill) and not worth the extra pings to the server? I read that google keeps images in a blob store. Maybe that's a clue.

Thanks for your advice.
0
Comment
Question by:kadin
  • 5
  • 5
10 Comments
 
LVL 58

Expert Comment

by:Gary
ID: 40257214
1. Yes - a browser only has access to your root folder and below
2. See 3
3. Yes - waste of time - if this is as some kind of security measure to protect your content then you are just wasting your time to prevent it when it is in reality doing nothing to protect your content.
If you want to stop hotlinking to your content then there are other ways to do it.
0
 

Author Comment

by:kadin
ID: 40257219
Thanks for your response.

Are you saying it is a waste of my time because with the .htaccess above it is already pretty secure?
What other ways of doing it are you referring to?
0
 
LVL 58

Expert Comment

by:Gary
ID: 40257228
What is the purpose of what you are doing?
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 

Author Comment

by:kadin
ID: 40257237
I forgot to mention the purpose is to prevent someone uploading a php file descized as an image file. The above .htaccess forces type and stops php's from being executed.

And the purpose is also general security for matters I am unaware of.
0
 
LVL 58

Expert Comment

by:Gary
ID: 40257243
Ermmm how could someone disguise an image file as a PHP file?
For a php file to go through the PHP parser it has to end in .php
Do you mean someone uploading the file and then browsing to it?
If so just use a normal folder under your root, add an .htaccess file to the folder and in the .htaccess add this

<Files  ~ "\.php$">
  Order allow,deny
  Deny from all
</Files>

Open in new window

0
 

Author Comment

by:kadin
ID: 40257251
how could someone disguise an image file as a PHP file?
I read on this page that double extensions can get through. filename.php.jpg
https://www.acunetix.com/websitesecurity/upload-forms-threat/

My above htaccess should also prevent this if I read correctly here: Or at leased prevent the php file from being executed.
https://github.com/blueimp/jQuery-File-Upload/wiki/Security
0
 
LVL 58

Expert Comment

by:Gary
ID: 40257260
Ok, if you use the following in your .htaccess it will block everything that is not in the image list, even if they add another extension to it like file.php.xkd

Order Allow,Deny 
Deny from all 
<FilesMatch "\.(jpg|jpeg|gif|png)$">
Order Deny,Allow
    Allow from all
</FilesMatch>

Open in new window

0
 

Author Comment

by:kadin
ID: 40257271
Do you think I can add what you said to what I already have? Because I think there is additional security measures in what I have.

Order Allow,Deny 
Deny from all 
<FilesMatch "\.(jpg|jpeg|gif|png)$">
Order Deny,Allow
    Allow from all
</FilesMatch>

Open in new window


ForceType application/octet-stream
Header set Content-Disposition attachment
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg|flv|mp4)$">
    ForceType none
    Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

Open in new window

0
 
LVL 58

Accepted Solution

by:
Gary earned 2000 total points
ID: 40257273
You can do so you end up with

ForceType application/octet-stream
Header set Content-Disposition attachment
Order Allow,Deny 
Deny from all 
<FilesMatch "(?i)\.(gif|jpe?g|png|mpeg|flv|mp4)$">
Order Deny,Allow
    Allow from all
    ForceType none
    Header unset Content-Disposition
</FilesMatch>
Header set X-Content-Type-Options nosniff

Open in new window

There is no point having the folder outside your root - you are just making more work for yourself with no benefit
0
 

Author Closing Comment

by:kadin
ID: 40257278
Thanks for your help. I will leave folder inside root.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article you will learn how to create a free basic website on Bitbucket, a git service provider. Polymer creates dynamic HTML components, which allow more flexibility than static HTML. This tutorial uses Ubuntu Linux but can also be done on W…
Before we dive into the marketing strategies involved with creating an effective homepage, it’s crucial that EE members know what a homepage is. In essence, a homepage is the introductory, or default page, of a website that typically highlights the …
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question