Free Ways To Hide Files From Snoopers

Sometimes database files must be protected from scrutiny. Files with email addresses or credit card information come to mind.

Even if the information isn't sensitive, it's still no one else's business.

Password management software can be obtained and installed. And elaborate file encryption methods can be employed.

But all that's rarely necessary just to protect some files.

Snooping generally occurs with the HTTP protocol. That's the protocol browsers use, and spiders and snooping robots.

Other Protocols

Other protocols might be used, like FTP, telnet, or SSH. To access files with any of those protocols, your username and password must be known or guessed. Protecting access info could an entire other article, and much has been written on the subject. But here are just a few points to keep in mind:

1. Use long passwords with non-alphanumeric characters interspersed.

2. Change passwords after program installers, site designers, or other third-parties have been granted access to your server. (This is not an act of distrust. It's plain common sense. Passwords can be compromised unknowingly. If your server is broken into, your list of people who have the password is shorter. Honest installers and designers appreciate your thoughtful removing of possible suspicion.)

3. Change server access passwords frequently. The more people have server access, the more likely inadvertent disclosure will occur, and the more often passwords should be changed.

4. Don't use server access passwords in other applications — like software control panels and membership sites. Server access passwords should not be used anywhere but for server access.

Protection From HTTP Protocol Snoopers

The HTTP protocol is the public's access to information on your server. It's primarily used to view files (like displaying web pages), but can also be used for activities like downloading files and submitting forms.

The HTTP protocol by itself can not be used to change the contents on a server (it would require the cooperation of a program on the server). But HTTP can be used to view files.

And some files left exposed should not be viewed by the public.

Following are three protection methods, the file name extension spoof, the unfulfilled password, and the curtain.

The File Name Extension Spoof

Changing a database file name extension can can force the server to treat the file as a different file type.

Specifically, renaming a file in the cgi-bin from file.txt to file.cgi or file.pl will cause an Internal Server Error when a browser tries to access it. That's because the server tries to run the database file as if it were a script, instead of displaying the file in the browser.

CGI programs can still access a file directly regardless of its file name: file.txt or file.cgi, it doesn't matter.

This is a great way to protect data stored in the cgi-bin.

The Unfulfilled Password Method

This is so cool. An entire directory is protected, but the password can never be guessed because no password has ever been assigned.

When server programs, like CGI programs, update files on a server in public locations other than the cgi-bin, browsers can be locked out of the entire directory with these four lines in the .htaccess file:

AuthName "No Access"
AuthType Basic
AuthUserFile /.missing
Require valid-user

The .htaccess file must be in the directory to be locked.

Because no AuthUserFile ".missing" exists on the server, no file containing passwords is available. No matter how long they try, snoopers can never guess a password that doesn't exist.

Browsers are locked out. But server programs can access the files directly.

This unfulfilled password method can also be used in the cgi-bin. But be careful that you don't lock out any CGI programs that need to be accessed with a browser. When only data files are in the directory, feel free to use this method.

The Curtain

With this method, you simply hide the files.

Put an index.html file in the directory where the files are located. The index.html file may be blank, if you wish. Alternatively, it can redirect snoop attempts to a different URL anywhere on the Internet.

With the index.html file in the directory, all other files in the directory are hidden. Snoopers must guess the file name in order to access it.

No links may point to any of the files to be hidden.

This "curtain" method is the least effective because the file names might be guessed and then the file viewed.

It's a quick method, though, and might be I utilized when the file to be protected won't be on the server for a substantial length of time. An example of use would be to provide links to private web pages or downloadable files for clients or friends, with the files removed from the server immediately after they've served their purpose.

Will Bontrager