Security
The following advice is valid only, if you're running the Apache http server. The support for .htaccess files should be enabled in any case (you can change that in http.conf).
- Some directories that contain private stuff or sensitive configuration data (like protected/ and inc/) are and must be protected with a .htaccess file that just contains this line:
deny from all- You have the option of moving inc/config.ini to another place in the file system or renaming it to config.php, if you feel more secure then. The name and path can be changed in the constructor of the AWF class in inc/classes.inc or in inc/config.inc and admin/inc/awf_admin_init.inc.
- The admin/ directory does not require password protection, but it's safer if you do. Example .htaccess file:
AuthType Basic
AuthName "Admin Backend"
AuthUserFile /home/username/path/accesslist
require valid-user
DirectoryIndex login.php
RewriteEngine Off- There is the option of protecting selected directories by deny access without SSL connection (https). Example .htaccess file:
<IfModule mod_ssl.c>
SSLRequireSSL
</IfModule>- Depending on your server's configuration, you should also check the access permissions of your files. On UNIX systems, you can use the commands chmod and chown to change permissions. If you know what to check and do on Windows systems, please add this information here.
Created: 08.01.2006 17:17 CET, Last Change: 21.01.2006 12:08 CET by admin
