Mobile app version of vmapp.org
Login or Join
Gonzalez347

: How risky is putting sensitive files up on webroot? I understand that having anything sensitive under webroot is not smart; someone may be able to access it via url. However, I do not have

@Gonzalez347

Posted in: #Security #WebHosting

I understand that having anything sensitive under webroot is not smart; someone may be able to access it via url. However, I do not have a choice with my web host (iPage) as they limit my server space to just the web root.

So my question is: how risky is it to just have sensitive files in a directory in a webroot with just simple forbidden public access? Any insight on this topic would be greatly appreciated.

EDIT: The 'sensitive files' are an installer for our startup's software and the php files that allow the download / control sql access.

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Gonzalez347

1 Comments

Sorted by latest first Latest Oldest Best

 

@Phylliss660

Your risk is greater than if the files were completely outside the webroot simply because they are accessible on the web. This means you are relying on the web server to secure something which would otherwise be freely available to anyone with the correct URL. This results in an increased attack surface with exposure to web server vulnerability exploits, whereas leaving them outside the webroot requires an attacker to obtain a greater degree of system access.

On the other hand, some thoughts about the effectiveness of Security through obscurity with regards to file or directory names:

If the name of a specific file or directory is very difficult (or nearly impossible) to guess, e.g., its name is a GUID/UUID, then IMO the risk is greatly decreased because the difficulty of brute-forcing such a name is comparable to brute-forcing a complex password. Of course, this also means that legitimate access to such files becomes more difficult, but that's what bookmarks are for. Unauthenticated access might even be considered secure (to an extent; highly vulnerable to man-in-the-middle attacks) if the names are "sufficiently hard to guess" (this is the general criterion applied to a password).

Relying heavily on security through obscurity is generally discouraged, but my view is that we are indirectly practicing it all the time by using passwords.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme