Jump to content

Protecting your template files


Recommended Posts

If you ever had your template stolen, here's how to prevent this from happening again:
.htaccess:

# Avoid directory browsing
Options All -Indexes

# Protecting *.tpl files

   Order allow,deny
   Deny from all


Or, if you want some automation:
/admin/tabs/AdminGenerator.php (somewhere around line 107 (I'm using V 1.3 alpha 1))
change

// ErrorDocument
fwrite($writeFd, $this->_htData['ErrorDocument']['comment']."\nErrorDocument ".$this->_htData['ErrorDocument']['content']."\n");
fclose($writeFd);


to:

// ErrorDocument
fwrite($writeFd, $this->_htData['ErrorDocument']['comment']."\nErrorDocument ".$this->_htData['ErrorDocument']['content']."\n");
// Directory browsing
fwrite($writeFd, "\n# Avoid directory browsing\n");
fwrite($writeFd, "Options All -Indexes\n");
// Protecting templates
fwrite($writeFd, "\n# Protecting *.tpl files\n");
fwrite($writeFd, "\n");
fwrite($writeFd, "\tOrder allow,deny\n");
fwrite($writeFd, "\tDeny from all\n");
fwrite($writeFd, "\n");
fclose($writeFd);


Now everytime you generate .htaccess file (from BO), it will add those lines.
What they do:
Options All -Indexes (suggested by Peter from AktywnySmyk.pl)
makes sure no one can get access to directory listing, even if the directory doesn't have an index file.

Order allow,deny
Deny from all

This will disallow viewing or downloading any tpl files from your website (including those in modules/ folder).
I tried to warn every shop in Presta's showcase, but many people must have thaught I'm some sort of hacker, trying to gain access to their web-sites by making them change their .htaccess file :)

Link to comment
Share on other sites

Hi, Jack. There's no way, really: css, as well as javascript are client-side technologies. So it's like trying to prevent someone from downloading a picture from your website: there's no real way. Probably the only thing you can do is to minify your css code (it will also make it work faster (because of the smaller size)), but it will only stop amateurs.

Link to comment
Share on other sites

Thanks for the reply. If they have my css and JS, it means they got everything.... :-S

Thank you again for the help.

One more question:is there a way I can minify my entire site codes such as css,js,php,and tpl?

Link to comment
Share on other sites

That dpends on what IDE you're using to develop your web-site in: there might be some plugins for it.
You may also be interested in WEBO, they have a public beta version: it does pretty much everything to optimize your site: minifying, gzipping, spriting, etc. The installation is pretty easy, but I should warn you that I personaly haven't used it on a live site yet, only at localhost.
Pretty handy tool: it even backs up your original files before changing them, so you can always undo the changes it has made.
And then there's Google Minify, YUI Compressor, and the list can go on: just google for "minify css" or "minify javascript".

Link to comment
Share on other sites

That dpends on what IDE you're using to develop your web-site in: there might be some plugins for it.
You may also be interested in WEBO, they have a public beta version: it does pretty much everything to optimize your site: minifying, gzipping, spriting, etc. The installation is pretty easy, but I should warn you that I personaly haven't used it on a live site yet, only at localhost.
Pretty handy tool: it even backs up your original files before changing them, so you can always undo the changes it has made.
And then there's Google Minify, YUI Compressor, and the list can go on: just google for "minify css" or "minify javascript".


Thank you very much for taking the time to reply my questions.
Link to comment
Share on other sites

  • 6 months later...

Hello,

Thank you for your solutions. I tried to edit AdminGenerator.php to handle 403 error by adding

$tab['ErrorDocument']['content'] = '403 '.__PS_BASE_URI__.'404.php';

right after

// ErrorDocument
$tab['ErrorDocument']['comment'] = '# Catch 404 errors';
$tab['ErrorDocument']['content'] = '404 '.__PS_BASE_URI__.'404.php';

For the ErrorDocument part, the generated .htaccess only shows
ErrorDocument 403 /404.php

Am I missing something? Please help. Thank you.

Link to comment
Share on other sites

I get the following error when i make the changes you suggest:

Server error!

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there was an error in a CGI script.

If you think this is a server error, please contact the webmaster.

Error 500

www.[website].com
Wed Sep 15 11:52:25 2010
Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.7e mod_auth_pgsql/2.0.3

ANY IDEAS?!

Link to comment
Share on other sites

  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...