Zend - 拒绝访问 CSS、JS、图像文件
所有,
我有以下 Zend 应用程序结构:
helloworld
- application
- configs
- controllers
- models
- layouts
- include
- library
- public
- design
-- css
-- site.css
-- js
-- global.js
-- images
-- siteheader.gif
-- sitefooter.gif
- .htaccess
- index.php
public 文件夹中的我的 .htaccess 文件如下所示:
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
我的文档根指向“public”文件夹。目前,如果用户访问目录级 URL(例如:http://localhost/design 或 localhost/css) ,我上面的 .htaccess 文件确保向他显示“访问禁止”页面。但是,如果他访问文件级 URL(例如:http://localhost/design/css/site.css) css),它向他显示 CSS 文件或 js 文件或 PHP 文件。
如果直接从 URL 访问,如何确保锁定上述文件类型的文件级访问?由于我的应用程序是 JS 密集型的,因此我希望保护它不被用户查看。
谢谢
All,
I have the following Zend application structure:
helloworld
- application
- configs
- controllers
- models
- layouts
- include
- library
- public
- design
-- css
-- site.css
-- js
-- global.js
-- images
-- siteheader.gif
-- sitefooter.gif
- .htaccess
- index.php
My .htaccess file in public folder looks like this:
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ index.php [NC,L]
My document root points to the "public" folder. Currently, if the user visits a directory level URL, (Ex: http://localhost/design or localhost/css) , my .htaccess file above make sure to show him the "Access Forbidden" page. But if he visits the file level URL, (Ex: http://localhost/design/css/site.css), it shows him the CSS file or the js file or PHP file..
How can I make sure to lock file level access for the above file types, if accessed directly from the URL? Since my application is JS intensive, I want to protect it from users looking at it.
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
你不能——浏览器必须能够访问它才能显示它,并且浏览器可以看到的任何内容,用户都可以看到。
可能可以限制对发送引荐来源网址标头的浏览器的访问,但这可能会破坏某些浏览器不发送引荐来源网址的用户的网站,并且当用户尝试查看引荐来源网址时,这对您没有帮助。页面时,他们可能会查看浏览器已经下载的用于呈现网站的副本,而不是获取新的副本。
话虽如此,您可以使用 YUI compresser 之类的脚本来减小您的文件大小JavaScript,也有助于降低其可读性:)。
You can't -- the browser has to be able to access it to display it and anything the browser can see, the user can see.
It may be possible to restrict access to browsers sending a referrer header, but that may break your site for some users whose browsers don't send a referrer and it doesn't help you as when a user tries to look at the source for the page, they will probably look at the copy which their browser has already downloaded for use in rendering the site rather than fetching a fresh copy.
Having said all that, you can use a script like YUI compresser to reduce the size of your JavaScript, helpfully also making it less readable :).
这是不可能的。例如,如果您有一个 JavaScript 文件
并且阻止它被打开,那么它也会阻止通过包含该文件的页面打开,因为浏览器将向同一页面发出单独的 HTTP 请求(在后台)。
但是,您可以使用某种哈希值来仅允许授权请求。
换句话说,使用服务器端来处理特殊的事情。不要使用 JavaScript 进行搜索。
This isn't possible. For example, if you have a JavaScript file
and you prevent it from being opened, it will also prevent opening by way of pages including it, as the browser will make a separate HTTP request (in the background) to the same page.
You could, however, use a hash of some sort to only allow authorised requests.
In other words, use server side for special stuff. Don't use JavaScript for seekrit stuff.