Preventing public access to hidden files and special directories

Forbidden

Preliminaries

This note describes how to block hidden files and special directories from being requested by the server.

Sometimes the public document directory contains files or directories that act in a supporting role, which shouldn't be accessible to the public. The server can be configured to block access to these files using the forbidden module.

Typical scenarios for this include third-party directories and hidden files. For example, metafiles that are used by software in the creation, versioning, and maintenance of a website, are typically placed under well-known directories. Also by way of example, filenames starting with a dot are often used to indicate that they are hidden files. By default, the server does not block access to either of these. Determining which files and directories are off-limits is up to the webmaster.

When properly configured, attempts to access these files using HTTP will fail with status code 403.

Configuration

The server's forbidden section is used to configure file pattern blocking. It comprises a collection of entries, where each entry is a path-pattern.

Refer to the separate note regarding Path Pattern rules.

Module

The forbidden module must be on to be effective.

Placement

The forbidden configuration section is subordinate to the request section; it may appear in either the server section or a host section. When values occur in both the server and host sections, they are merged according to the standard rules defined for the merge attribute.

Information Headers

When a file is blocked, a status code 403 is returned and a rw-forbidden information header is added to the response.

EBNF

SP ::= U+20
CR ::= U+0D
ASTERISK ::= U+2A
QUESTION-MARK ::= U+3F
SOLIDUS ::= U+2F
GRAVE-ACCENT ::= U+60
LEFT-CURLY-BRACKET ::= U+7B
RIGHT-CURLY-BRACKET ::= U+7D
file-system-chars ::= (ALPHA | DIGIT | )*
wildcards ::= ASTERISK | QUESTION-MARK
path-pattern ::= (SOLIDUS | file-system-chars | wildcards)*
delimited-path-pattern ::= GRAVE-ACCENT path-pattern GRAVE-ACCENT
forbidden-entry ::= delimited-path-pattern CR
forbidden-section ::= 'forbidden' SP LEFT-CURLY-BRACKET CR
forbidden-entry*
RIGHT-CURLY-BRACKET CR

† Legal file system characters vary by platform

Cookbook

Example 1: forbidden module off
server {
modules {
forbidden off
}
}
Example 2: filename or directory matching
server {
modules {
forbidden on
}
request {
forbidden {
`/.gitignore`
`/.git/*`
`/img/obsolete/*`
}
}
}
Example 3: matching paths with trailing wildcards
server {
modules {
forbidden on
}
request {
forbidden {
`/img/*.bmp`
`/video/*-obsolete.mp4`
}
}
}
Example 4: matching paths with leading wildcards
server {
modules {
forbidden on
}
request {
forbidden {
`*/v1`
`*/*.webp`
}
}
}

Review

Key points to remember:

  • Blocking access to files is done with pattern matching that may optionally include wildcards.
  • Always delimit path-patterns with GRAVE-ACCENTS.
  • Patterns almost always begin with a SOLIDUS or an ASTERISK.

Preventing public access to hidden files and special directories