Security question: Is it a good practice to name folders on the server by names that are difficult to guess (8+ symbols, not a simple "admin" or "services")? I'm asking about folders that contain not just icons or .js files or .css files, but .php files and are protected by .htaccess file (deny from all).
Security: Is it a good practice to name folders on the server that are difficult to guess?
167 views Asked by Haradzieniec At
3
There are 3 answers
0
Gazler
On
This is security through obscurity. While there is no harm in doing it , It doesn't give anything in terms of security.
0
Alex Howansky
On
Good practice would be to keep your PHP files outside your web server's document root. E.g., if your doc root is /var/www, then you might have there just a single index.php file, and all that file does is launch your app:
set_include_path('/something/besides/var/www');
require_once 'foo.php';
require_once 'bar.php';
do_something();
This way, your web server doesn't even know that the PHP files exist, and can't serve them even if you have an accidentally misconfigured .htaccess.
Related Questions in LINUX
- Is there some way to use printf to print a horizontal list of decrementing hex digits in NASM assembly on Linux
- Why does Hugo generate different taxonomy-related HTML on different OS's?
- Writes in io_uring do not advance the file offset
- Why `set -o pipefail` gives different output even though the pipe is not failing
- what really controls the permissions: UID or eUID?
- Compiling eBPF program in Docker fails due to missing '__u64' type
- Docker container unable to make HTTPS requests to external API
- Whow to use callback_query_handler in Python 3.10
- Create kea runtime directory at startup in Yocto image
- Problem on CPU scheduling algorithms in OS
- How to copy files into the singularity sandbox?
- Android kernel error: undefined reference to `get_hw_version_platform'
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- Issue with launching application after updating ElectronJs to version 28.0.0 on Windows and Linux
Related Questions in APACHE
- Special access rule in an .htaccess file for IP addresses, authorized only for one directory structure
- How to isolate PHP apps from each other on a local machine(Windows or Linux)?
- Cannot load modules/mod_dav_svn.so into server
- How to ignore case in regexp mapping in a .htaccess rewrite rule?
- Oracle Http server ISNT-07551
- I cant access file directory with PHP local host on XAMPP. it just shows one of the files I have in my visual studio code
- Apache Reverse Proxy: only one proxy directive is working. Second one is ignored
- Issue with Django --> Apache WSGI deployment
- changing the node version used by apache web server
- Apache: How can I redirect to a subfolder with a URL param but serve required content via the main URL?
- Why/How does Apache auto-include "DHE" TLS1.2 ciphers while nginx needs "dhparams" file?
- Set up MX records in apache/Ubuntu to point to external mail server
- How to proxy to another port?
- Php can not upload file out of /var/www/html even after disabling Selinux
- Serve static site on S3 + CloudFlare with Apache retaining the source URL
Related Questions in SECURITY
- HTTPS configuration in Spring Boot, server returning timeout
- HSM ZKA control mask values
- OWASP Amass Subcommands
- Is there a need for BPF Linux namespace?
- Error when trying to execute a binary compiled in a Kali Linux machine on an Ubuntu system
- When sanitize/encode while implementing tags system like on SO
- spring security version in spring-boot-starter-security
- I am currently trying to implement a rudimentary firewall from a video I watched but the nimda worm detection is not working and i do not know why?
- Is it possible for `sudo` to fail temporarily with the correct password? Hacking suspected
- Is it viable proxying all my mobile apps requests, to some kind knowing that a request is coming from a secure source
- What abilities should I concentrate on while bug hunting, and how can I improve the quality of my bug bounty reports?
- System.ArgumentOutOfRangeException: I passed this error in every single program
- How to prevent users from creating custom client apps?
- Does server-side content security policy exist for youtube video player API, app, mod apks and website?
- Can we pass a hostname/IP address as a query string in a GET request in REST API
Related Questions in DIRECTORY
- I cant access file directory with PHP local host on XAMPP. it just shows one of the files I have in my visual studio code
- PHP string variable to multiple rows in table sql insert
- Android - Why my app picks values on default folder (instead XXHDPI)
- Use htaccess to add subdirectory to url while displaying base url
- Dockerfile and package-json are in different folders
- VS2022 C++ empty directory for audio file. CMake; SFML
- Visual Studio Error: The system cannot find the file specified
- Email from SharePoint: "Heads up! We noticed that you recently deleted a large number of files from a site" but the user doesn't deleting anything
- Duplicate folder into new folder one level up in the directionary
- Shapefiles not showing up in assigned directory in R - says it exists but can't find it
- Recursively calculate SHA256 sum of all files in directory using OpenSSL
- $WinREAgent folder keeps to automatically appear
- thunderbird local archive folder missing
- Python folder path string escape character error
- Switch r settings to not have to create directory when saving files into new subfolders
Related Questions in WEB-FOLDERS
- How to add cpd4j 6.1.0 API to Spring Boot application
- Finding file based on user input?
- How to Upload Files on Google Drive Folder having Read/ Write full Access
- Prevent direct access to folder file by typing URL
- Can i upload my website folder like this (nested folders inside main folder)?
- Is it possible to enable Web folder with it's navigation in Spring Boot / Web MVC similarly what we see when opening local folder in browser?
- How to download a web directory when authentication is required?
- How do I enumerate web folders in C# that are not mapped to network drives (like "net use")
- Make folders accessible to select users only
- Displaying error description in WebDAV response
- HTTPModule on IIS 6 to execute on Web Folder requests?
- Securing a folder in ASP.NET web directory
- Block direct access to subfolders with .htaccess or other methods
- Security: Is it a good practice to name folders on the server that are difficult to guess?
- How can I enumerate network shares and web folders in C#?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
No. Security through obscurity isn't.
Plus it's really irritating for anybody using the machine via a shell, ftp, etc.
What would it protect against? Regardless of names, folder access should be handled by the machine's and/or network's normal security mechanisms. If they get past that, it doesn't matter what your artifacts are named–Ur PwNeD.