I have a file that I don't want to be accessed by anyone except my own server (by php request). I am using the following in my .htaccess:
<Files myfile.xml>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>
But was wondering, how secure is this? Is there anyway that someone might be able to get around this and get to the file directly? In my php file I have:
simplexml_load_file("myfile.xml")
To get the data and also am using
if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')
So no one can access that file directly (only by Ajax) What do you guys think about using this method?
Since you're directly naming a file, it's only secure if myfile.xml is the ONLY way to get at that file. If someone has shell level access to your server, and can create a hardlink to that file using a different name, e.g. ln myfile.xml heehee.txt, then they'll be able to get the file's contents vi heehee.txt, because they're not getting at it via the 'myfile.xml'.
Best practice is to keep files outside of the document root entirely. This doesn't stop the symlink/hardlink attacks, but it does keep certain bypass attacks at bay.
If you're reading the file in a script, this doesn't go through Apache at all, so you don't even to allow localhost. Simply deny all, and that's it.
(plus other answer about the best place is out of document root - only use deny all if your permissions don't let you put the file elsewhere, e.g. you have a base restriction in effect)
Is there anyway that someone might be able to get around this and get to the file directly?
In short, NO.
Is it secure.
That's why Deny from all was invented.
What do you guys think about using this method?
Absolutely not necessary until you host foreign php code on your localhost.
This is basically security on webserver level. If there is another breach i.e. through an SQLI Attack which is using the local filesystem or some Remote File inclusion security breach you're pretty much pwned. So i would consider encrypting the file, and acl/chmod it down to the very most necessariest users/groups, and also most servers/webhosting companies provides a private/ dir for such data.