Files firewall - Recipe for K3

#1

Hi Kirby team,

I saw that there is a Kirby V2 asset firewall tutorial to protect files from being accessed directly:

K2 Asset Firewall Recipe

When will you release a recipe for V3? I ask this because I want to create an internal area just for logged in users. Of course the internal files shouldn’t be accessible from outside. However, some things changed from V2 to V3 and a new recipe would be quite helpful.

Thanks for your answer.

Sphex

1 Like
#2

I created an issue for it in our website repo: https://github.com/getkirby/getkirby.com/issues/391

However, I cannot promise any ETA.

1 Like
#3

Any news on this? Or someone who could give me some hints?

#4

I might be off but I think this is sort-of built-in, considering following changes:

  1. Move your content-folder off the public accessible webroot folder of your webserver. Change Kirby’s index.php file for this, e.g.:
<?php
include '../kirby/bootstrap.php';
$kirby = new Kirby([
    'roots' => [
        'index'   => __DIR__,
        'content' => __DIR__ . '/../content',
        'site'    => __DIR__ . '/../site',
    ],
]);
echo $kirby->render();
  1. As long as you keep your internal area in draft-status, I think nothing should be accessible?
#5

@bvdputte That won’t work because assets are moved to the media folder and will still be accessible there, at least if you know the URL. It’s not that easy to guess, but that would be security through obscurity more than anything else.

#6

I agree it’s not 100% safe, but as an “in-between hack” it’s not bad imho: you’ld have to guess for a filename + its hash. Good luck with that :sweat_smile:.

But I get your point-of-view, as long as you can’t guarantee no-file-access-to-unauthenticated-users you have to state this clearly.

#7

Thank you for your suggestions. It seems to be a workaround, but I’d rather implement a safer option because as you mentioned it is still not 100% safe (nothing is, but you get the point). However, I think I have no other choice for now. Unfortunately, I still haven’t managed to implement an asset firewall in V3 :frowning: