security

I already took out mailto links to prevent harvesting. The public email address is displayed using [at] instead of @. A human can understand but not a bot.

For further security, I added a couple of .htaccess files. These are strange beasts, initially when I tried I get 404 errors on every page, so I quickly took that out. This time round I started simple.

A reminder to myself, there must always be a “.” at the start of the file name, and it’s always in plain text format. The trick I find is saving and loading it as htaccess.txt, then changing the name to .htaccess (no suffix) in control panel.

1. Disable hotlinking
Hotlinking is when someone links to an image directly on the source website. So when other people view the page or click on the image, the source server has to send the image over. This is bandwidth stealing. The person who wants to show that image should save the file on their own server and use their own bandwidth.

Place the .htaccess in the same folder as the images that should not be hotlinked. Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?invisiblecompany.com(/)?.$ [NC]
RewriteRule .
.(gif|jpg|jpeg|bmp)$ – [F,NC]

This will deal with gif, jpg, bmp files. If other file formats need to be blocked, like png, just add “png” to the list.

I’ve created a public images folder on the website so if I ever need to make an image available that’s where it will go. Like putting avatars or images on some forums, or for whatever reason.

2. Directory listing
Sometimes people enter urls like http://domain.com/folder/ to get a listing of the files in that folder. Most of the time it’s harmless but why let them know so much? To prevent directory listing, place the .htaccess file in the applicable directory, or in root for the entire site. Very simple code for the file:

IndexIgnore *

.htaccess can also be used to impose a password for particular folders. This seems pretty neat. I’ll get round to it eventually.