Where on a web server is the best place to store a folder containing resume files? Inside web root or outside? What's safest?_问答_开发者

Where on a web server is the best place to store a folder containing resume files? Inside web root or outside? What's safest?

开发者 https://www.devze.com 2023-04-07 12:05 出处：网络

Suppose that I have this filepath going /www.mywebsite.com/content/ and that \'content\' is my webroot. S开发者_运维技巧hould I store these resume files inside a folder in the webroot like so:

Suppose that I have this filepath going /www.mywebsite.com/content/ and that 'content' is my webroot. S开发者_运维技巧hould I store these resume files inside a folder in the webroot like so:

/www.mywebsite.com/content/resumes/

and is this safe? I noticed that anyone could link to anyfile externally (without clicking on a proper link that I've created) to any of the files and I don't want this.

E.g.

http://mywebsite.com/resumes/bobs-resume.doc

would give them access Bob's resume even though they can't see what's in:

http://mywebsite.com/resumes/

Or should I just put the resumes folder outside of the webroot like so?

/www.mywebsite.com/resumes/

I know it kinda sounds obvious but I'd like to know if there's any caveats to storing files outside of the webroot. For example, how would I be able to create links to any of those files so that the right (authenticated and authorized) people can download them?

If it helps I'm also working on an Apache, PHP, MySQL stack so if anyone has any PHP specific solutions for this they would be most helpful.

Thank you in advanced for your help.

If you are working with Apache, you could add a .htaccess file to /resumes/ that contains deny from all which will prevent anyone from viewing the contents of that directory. Still I don't always recommend this because if the .htaccess file is removed, or not copied, then the directory is no longer secure. This happens easily when moving from one server to another. Also, that only works with apache and you would have to change your method for another server.

I would just as soon store them in a completely non web-accessible location such as /www.mywebsite.com/resumes/ as you suggested.

If you put the files outside the website root they will definitely be safe from accidental browsing - inaccessible unless somebody hacks into the server itself. You can then write a script that reads the file content from there and sends it to the browser - after authenticating the visitor (username/password, I guess).

Another possibility is to put the stuff in a site subfolder and require authentication to access that folder, i.e. password-protect the directory with .htaccess; you can send the password to the intended recipient, allow reasonable time to fetch the files and then change the password. A variation would be to compress the files in a ZIP file and set a password on it (or even encrypt the stuff with PGP).

Typically when I need to do stuff like this I put it in a dot folder (for example, /var/www/.resumes): this way it is in the web root and you can trivially access it but by default Apache won't serve any files from within a dot folder.