The web folder
When creating a web application, it is important to restrict web users from accessing sensitive files and folders. The web root folder is considered free-for-all territory for any web user to access the folder’s data.



For example, if an attacker happens to know the structure of the web folder directory, he or she can access a file by inputting the direct path into the URL (see below).



However, that also means anything outside of the web folder is inaccessible to the web client via the URL. In that case, you can use the setup below to restrict files and only grant access to web users with the right authority.


The setup to serve files outside of the web folder

1. Create a folder on the same level as the web folder. You can name this anything you would like, but for this example, it will be named “Restricted”.



2. Put any web assets (e.g., .html files, images) in this folder. For this example, the web server will serve the “restricted.html” file. **Note: Do not have any duplicate files/images in the web root folder; if done so, any web user can access these files regardless of using this implementation.



3. Set up the login authentication protocol of your choice. In this case, the BASIC protocol is used with the username/password credentials of “username” and “password”.


4. Input the following code into the “On Web Authentication” database method:



// On Web Authentication Method //// parameters // $0 = return value (true = connection accepted, false = connection refused) // $1 = URL // $5 = username credential // $6 = password credential C_BOOLEAN($0) C_TEXT($1; $5; $6) Case of   // restrict a single file   : ($1="@/restricted.html")   If ($5="username") & ($6="password") // BASIC protocol (or use another authentication protocol here)     $0:=True   Else     $0:=False   End if Else // connection is accepted with all other URLs   $0:=True End case



5. Input the following code into the “On Web Connection” database method:



// On Web Connection Method // handles all incoming requests to the 4D web server // **note: runs after the "On Web Authentication" database method //// parameters // $1 = URL // $rootPath = path to restricted folder // $url = C_TEXT($1; $rootPath; $url; $fullPath) // root path to restricted folder $rootPath:=Get 4D folder(Database folder)+"Restricted"+Folder separator Case of    : ($1="/@")    // remove leading "/" from URL    $url:=Delete string($1; 1; 1)       // concatenate root path to restricted folder and url from web request    // replace "/" with platform folder separator    $fullPath:=$rootPath+Replace string($url; "/"; Folder separator)       // if path leads to file, send file    If (Test path name($fullPath)=Is a document)    WEB SEND FILE($fullPath)    End if End case

1. Start up the web server, and open the web browser of your choice to test out the restricted file serving.
2. Input the path to your restricted file (“restricted.html” for this example). The On Web Authentication method will recognize no credentials have been inputted and will initiate the BASIC login; therefore, the "restricted.html" file will only be served to those who have the correct credentials.