Preventing public access to hidden files and special directories
Forbidden
Preliminaries
This note describes how to block hidden files and special directories from being requested by the server.
Sometimes the public document directory contains files or directories that act in a supporting role, which shouldn't be accessible to the public. The server can be configured to block access to these files using the forbidden
module.
Typical scenarios for this include third-party directories and hidden files. For example, metafiles that are used by software in the creation, versioning, and maintenance of a website, are typically placed under well-known directories. Also by way of example, filenames starting with a dot are often used to indicate that they are hidden files. By default, the server does not block access to either of these. Determining which files and directories are off-limits is up to the webmaster.
When properly configured, attempts to access these files using HTTP will fail with status code 403
.
Configuration
The server's forbidden
section is used to configure file pattern blocking. It comprises a collection of entries, where each entry is a path-pattern.
Refer to the separate note regarding Path Pattern rules.
Module
The forbidden
module must be on
to be effective.
Placement
The forbidden
configuration section is subordinate to the request
section; it may appear in either the server
section or a host
section. When values occur in both the server
and host
sections, they are merged according to the standard rules defined for the merge
attribute.
Information Headers
When a file is blocked, a status code 403
is returned and a rw-forbidden
information header is added to the response.
EBNF
SP | ::= | U+20 |
CR | ::= | U+0D |
ASTERISK | ::= | U+2A |
QUESTION-MARK | ::= | U+3F |
SOLIDUS | ::= | U+2F |
GRAVE-ACCENT | ::= | U+60 |
LEFT-CURLY-BRACKET | ::= | U+7B |
RIGHT-CURLY-BRACKET | ::= | U+7D |
file-system-chars | ::= | (ALPHA | DIGIT | †)* |
wildcards | ::= | ASTERISK | QUESTION-MARK |
path-pattern | ::= | (SOLIDUS | file-system-chars | wildcards)* |
delimited-path-pattern | ::= | GRAVE-ACCENT path-pattern GRAVE-ACCENT |
forbidden-entry | ::= | delimited-path-pattern CR |
forbidden-section | ::= | 'forbidden' SP LEFT-CURLY-BRACKET CR forbidden-entry* RIGHT-CURLY-BRACKET CR |
† Legal file system characters vary by platform
Cookbook
Example 1: forbidden module off
server {
modules {
forbidden off
}
}
Example 2: filename or directory matching
server {
modules {
forbidden on
}
request {
forbidden {
`/.gitignore`
`/.git/*`
`/img/obsolete/*`
}
}
}
Example 3: matching paths with trailing wildcards
server {
modules {
forbidden on
}
request {
forbidden {
`/img/*.bmp`
`/video/*-obsolete.mp4`
}
}
}
Example 4: matching paths with leading wildcards
server {
modules {
forbidden on
}
request {
forbidden {
`*/v1`
`*/*.webp`
}
}
}
Review
Key points to remember:
- Blocking access to files is done with pattern matching that may optionally include wildcards.
- Always delimit path-patterns with GRAVE-ACCENTS.
- Patterns almost always begin with a SOLIDUS or an ASTERISK.