security - Laravel 4: how to protect assets folder?

I come from CodeIgniter where files/folders are typically protected this way:

.php files

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');

index.html files

<html>
<head>
    <title>403 Forbidden</title>
</head>
<body>

<p>Directory access is forbidden.</p>

</body>
</html>

I guess can be possible with .htaccess or hard way but, how can be done using Laravel 4? is there a way using its 'standards'?

Edit: Is a project built for shared hosting.

/assets/{css, img, js}
/packages
/system/{app, bootstrap, vendor, index.php, .htaccess, favicon.ico}

4 Answers

  1. Quentin- Reply

    2019-11-16

    You need to make a file .htaccess, after that you need to add the following:

    # Disable Directory Browsing
    Options All -Indexes
    
  2. Randall- Reply

    2019-11-16

    You should set up your application so that everything outside of the initial public directory is outside of your document root. That's one of the reasons why Laravel actually ships with a public directory. Typically most people will symlink this directory to the document root. Anything inside public is, obviously, public. If you'd like your assets directory to be inaccessible you could opt to use htaccess or an index.html file much like how you've described.

    If, for whatever reason, you need to shuffle some things around and have your actual application files within your document root then you'll need to implement some form of security if you see the need. This, again, could either be using htaccess or an index.html file. Typically a htaccess approach is simpler. If you wanted to protect the app directory you could drop a .htaccess file in there that looked something like this.

    deny from all
    
  3. Randolph- Reply

    2019-11-16

    I have provided a similar answer to this type of question here: Laravel image gallery logic

    In principle - you should store all your assets outside of public - and use PHP readfile() to securely serve them to users as required.

  4. Randy- Reply

    2019-11-16

    The answer might be a year late, but I thought it might help others who want to tackle something similar.

    Check out Kelt Dockins' post here. The Codesleeve Laravel Asset Pipeline would allow you to have your assets folder outside your /public folder, securely.

Leave a Reply

Your email address will not be published. Required fields are marked *

You can use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>