We are trying to create a form for our users where they can upload images to our site. Lets say that we are uploading all the images to the folder images/uploads.
If the permissions for this folder are set to
777,
it works perfectly well as all the permissions are granted. But if someone types on the browser: mydomain.com/images/uploads, any intruder can have access to all the files uploaded.
If we change the permissions to
711
now it is forbidden (403 error) for intruders to access directly to mydomain.com/images/uploads but our users can no longer upload files as we get a php error "Permissions denied"
What is the best configuration for this case?
You can use .htaccess to prevent access directory listing
Options -Indexes
You can also use this to prevent image hot linking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/angryman.gif [R,L]