Protecting Externally Generated HTML Reports in Joomla
A number of reporting applications will generate extensive interactive HTML web sites that are very useful, but can be hard to secure behind a login, especially when you must incorporate HTML from a number of different report generators. Fortunately, there is a relatively simple way to do this in Joomla using the “wrapper” menu item type. The example that follows shows how to do this in situations where you want to secure the HTML report from scanning and indexing by search engines, but do not require absolute security. This might apply to content that is not confidential or proprietary, but which would generate unwanted email inquiries were it to be indexed. This approach will meet many low security needs but does not provide total security; see the discussion during the section on modifying .htaccess for more information on security issues with this approach.
Step 1: Upload the HTML Web Report
The first step is to upload the HTML report into its own directory; you do not want to mix your report files in with anything else. It should be a directory that is only accessible to people who are trusted and authorized, so it probably should not be a subdirectory in the images or other media directory. The directory name should not be identical to the names used for any categories, tags or articles, as this will make URL collisions a problem and create issues for SEO. If you will have a lot of reports, you will probably want to create some kind of directory hierarchy.
For security reasons that will be described later, your directory name should contain a random string that is eight or more characters.
Step 2: Fix Permissions on HTML Web Report Using Akeeba Admin Tools
The next step is to make sure that the directory and file permissions are secure–755 for directories and 644 for files. Many of the report generator tools do not pay attention to this.
In Akeeba Admin Tools, go to the Custom Permissions option shown in Figure 1 and make sure that your directories are listed with the proper permissions, and select Apply; using shell access or some other means, verify that the permissions were set properly using ls -l or some other command.
Step 3: Create Menu Option for HTML Wrapper
Next, create a new menu options using the Wrapper option as shown in Figure 2. Put your HTML report’s URL in the option field as shown in Figure 3. If you want to restrict access, change the Access from “Public” to a particular group as shown in Figure 3.
If you used a secure group for access, only logged in users will be able to locate the information, and search engines will not find the pages for indexing. However, if someone knows the URL, they could still get to it directly without any difficulty; we still need to secure access by changing the .htaccess file.
Step 4: Add Custom Rules to .htaccess Using Akeeba Admin Tools
To secure the HTML report from direct access, you must add lines to the .htaccess file that is used to control Apache. There are perhaps a million ways to do this but the easiest relies on the way that Joomla implements the wrappers. For the wrapper menu option, Joomla uses the iframe HTML tag; this has the side effect that all accesses to these HTML pages through your site will have your site as the referrer. We will write .htaccess rules that prevent access to the files if the referrer is not your site. This still leaves open the hole that someone could spoof the referrer and guess the correct URL and get access to the files, thus the recommendation that you use unique random strings in the directory names.
The URL will be visible to logged in authorized users via “View Source”. If one of those logged-in, authorized users decides that the HTML report should be publicly visible, that uses can post the URL at which point it will be possible for a malicious user to spoof the referrer and gain access. Well-behaved search engines still would not index the page, unless the logged-in, authorized user posted the link in a publicly accessible and indexable area of your site.
For many applications this is an acceptably small attack window, but it should be recognized that it is an open window, however small.
Figure 4 contains the code that you should use in your .htaccess file. Make sure to replace the domain and directory in the example with your own domain and directory.
.htaccess file to block accesses that were not referred by your site. Replace “domain.com” with your domain name and “3ab|6jz|z1m|m9z” with the directories that contain your HTML reports.
#
# Block direct access to HTML Report directories
#
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain.com
RewriteRule ^(3ab|6jz|z1m|m9z)/.*\.(css|html)$ - [F]
Step 5: Modify Module Display for Report Menus
The final step in the process of adding an HTML report to your Joomla website is optional and depends on the report and template that you are using. Many reports will benefit from having a wide column layout. If you have navigation, recent articles, popular articles or other Joomla modules to the left and right of your HTML report, you might get some awkward or unusable line wraps. To give your report a wider column, you may want to omit these Joomla modules from the menu options that drive these HTML reports as shown in Figure 5.
