Security tip wrt to downloads (J5/PC5)

Phoca Cart - complex e-commerce extension
lpatrick
Phoca Enthusiast
Phoca Enthusiast
Posts: 94
Joined: 13 Feb 2024, 17:00

Security tip wrt to downloads (J5/PC5)

Post by lpatrick »

This is not an issue, just a suggestion for either Installation information or Tips & Tricks.

I have looked into the security of downloads since that's what my customer will want to be selling and Joomla 5/Phoca Cart 5 handle this very well if I may say so. (I haven't yet tested older versions.)

What I mean is that even though folder names might be almost not guessable, there is no reason to have phocacartdownload open to the internet.

So it would be even safer to have the webserver deny access to it (via web server config file or .htaccess).

Downloads from within Phoca Cart will still function. But if you would copy the exact path of the downloadable file in the browser address bar, you will have no access to it. (Which you do if you don't deny access to phocacartdownload)
Tested with images and ZIP files.

One drawback: if you try to view or open the files in phocacartdownload with e.g. Phoca Commander, it will fail also. Which is a good test to see if the folder is actively locked down. If you really need to, you could copy it into another (tmp) folder temporarily.
Other operations (upload, copy, move, delete) work fine.

Thanks for reading
User avatar
Jan
Phoca Hero
Phoca Hero
Posts: 48386
Joined: 10 Nov 2007, 18:23
Location: Czech Republic
Contact:

Re: Security tip wrt to downloads (J5/PC5)

Post by Jan »

Hi, thank you very much for this info.

Do you have an example of specific line in .htaccess?

Jan
If you find Phoca extensions useful, please support the project
lpatrick
Phoca Enthusiast
Phoca Enthusiast
Posts: 94
Joined: 13 Feb 2024, 17:00

Re: Security tip wrt to downloads (J5/PC5)

Post by lpatrick »

Jan
I'm not using Apache but I searched and several options exist:
You could have a .htaccess in phocacartdownload itself with: Deny from all (I think you would have most control over that).
Or if you only want to add it to the main Joomla .htaccess in the folder, it would need to be something like:
RedirectMatch 403 ^/phocacartdownload/.*$ (assuming Joomla isn't in a subfolder of the site.

I used this in my server's nginx configuration file (in sites-available):
location /joomla/phocacartdownload {
deny all;
}

My joomla is in a subfolder so if it isn't, it would be:
location /phocacartdownload {
deny all;
}
User avatar
Jan
Phoca Hero
Phoca Hero
Posts: 48386
Joined: 10 Nov 2007, 18:23
Location: Czech Republic
Contact:

Re: Security tip wrt to downloads (J5/PC5)

Post by Jan »

Ok, thank you for the info.

Jan
If you find Phoca extensions useful, please support the project
Post Reply