So My issue is as follows. My users can upload files and profile images into the app, Right clicking a profile image and opening in a new tab shows the image (which I want)

https:/my-app.com/storage/profile-photos/sad65f87as5f.png

If I remove the filename part of the url then I get forbidden which I also want

https:/my-app.com/storage/profile-photos

If I then however remove profile-photos from the url it lists all the folders in my storage directory. How do i make this forbidden?

https:/my-app.com/storage

In addition I have an uploads folder in the storage directory and this and all its contents are publicly available.

I'm using apache php8.1 and laravel9 in this project. It is also a production environment.

CodePudding user response：

You can disable browsing of a folder when there is no index, if you add Options -Indexes into your .htaccess in your storage folder.

CodePudding user response：

There are a few ways you can hide the storage directory in a Laravel 9 application:

Use a middleware: You can create a middleware that checks the requested URL and denies access to any URL that starts with storage. For example, you can create a middleware called ProtectStorage and add it to the kernel.php file:

class ProtectStorage
{
    public function handle($request, Closure $next)
    {
        if ($request->is('storage/*')) {
            abort(403, 'Access Forbidden');
        }

        return $next($request);
    }
}

Use filesystems.php: You can set the url property to null for the local disk in the config/filesystems.php file:

'disks' => [
    'local' => [
        'driver' => 'local',
        'root' => storage_path('app'),
        'url' => null,
    ],
],

In order to access to the files on your local machine you will have to configure them.