Preventing view / download of folders

[Insecure]

What is the best way to restrict or prevent the wholesale
view and http download of files from FP Web folders?

By examining the HTML for a site (or well known
FP 'hidden' folders), the location of most folders can
be easily found and their contents downloaded. For
example, "http://www.xyz.com/images/" will show all the
files in the 'images' folder making it easy to grab the
entire directory.

The same approach works for all folders except the
_private folder since it's permission settings restrict
access - but practically everything else can be
accessed. FP seems to be very touchy about changing
directory permissions when it comes to restricting
access. What is advised?

Sincerely Insecure

 

[Thomas A. Rowe]

What you are seeing means the permissions for your account are not set correctly. Contact your host
and have them disable browsing on the folder, as not one should be able to just get a listing of the
folder content.

To see what you should be seeing on your host, go to my site below and access the images folder.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, WebCircle, MS KB Quick Links, etc.
==============================================

 

[Insecure]

The permissions for the images folder are 755 on the
Apache/1.3.27 Server. Exactly what needs to be changed to
prevent browsing on a folder?

-----Original Message-----
What you are seeing means the permissions for your

account are not set correctly. Contact your host

and have them disable browsing on the folder, as not one

should be able to just get a listing of the

folder content.

To see what you should be seeing on your host, go to my

site below and access the images folder.

 

[Ronx]

As Thomas suggested, have your host disable folder browsing on your site.
This is a server setting, not a folder permissions setting.
Alternatively, place a default page (same filename as your home page) in
each folder. The user's browser will load this page, instead of a list of
files.
See www.rxs-enterprises.com/images/ for an example.

 

[Insecure]

For completeness of this topic, my Apache server
requires that a .htaccess file be placed in each
restricted folder. The file should be edited in order to
add a line:

Options -Indexed

to turn off indexing since the default is opposite to
expectations.

 

[Steve Easton]

Yep.
If you have the web masters CPanel check for a feature called Web Protect.
It will do it for you automatically.

--
Steve Easton
Microsoft MVP FrontPage
95isalive
This site is best viewed............
........................with a computer