File and Directory Permissions and Web Security

The wrong permissions on a web file or directory can cause security problems. Be sure you understand the security issues involved with permissions before you change them!

If you do not want the world to be able to access a file or directory, do not put it anywhere under your web directory!

Any file under your web directory that is readable by other, and any directory under your web directory that is executable by other, is accessible from the web. Even though the file or directory may not show up in a link or a directory index, someone could possibly guess the URL for the file or directory and access it.

If you have enabled autoindexing for a directory, then anything in that directory can be seen on the web.

If you do not want the server to display the contents of a directory, then you have two choices. You can create a file named index.html, index.htm, index.shtml or index.phpin the directory. Or, you can remove read permission for other from the directory.

Server-side includes must be used responsibly.

Server-side includes can allow you to create web pages that run processes on the web server. Before creating this kind of server-side include, make sure that you have considered all the security implications for the code you want to run. Badly written code could potentially cause security problems for everyone who uses the web server.