Home > other >  How To Secure Laravel Blade.php File
How To Secure Laravel Blade.php File

Time:08-26

I HAVE A LARAVEL WEBSITE I AM USING LARAVEL IN My Website,

BUT MY PROBLEM Is WHEN I Put This Url In Browser https://example.com/resources/views/ welcome.blade.php Then Server Directly View Blade Page Code In Browser

can you tell me how to secure the blade.php file?

I Am Adding This Code In htaccess Order Allow, Deny Deny from all

But I want that I can secure the entire blade page with a single code.

CodePudding user response:

Create .htaccess file in main directory with this code

<IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteRule ^$ public/ [L]
    RewriteRule (.*) public/$1 [L]
</IfModule>

CodePudding user response:

Url rewriting / routing is what you want. You can turn the uri (everything after the / in www.example.com/) into just a way to route page requests to specific files and functions within those files. This obscures files and functions from users, as they would have to know both the specific filename (Classname) and the name of the available functions (methods) that exist in order to even begin to exploit them.

There are basically 3 parts:

  1. Capturing the uri in the url (and the request method)
$route = ltrim(strtok($_SERVER['REQUEST_URI'],'?'), '/');
$method = $_SERVER['REQUEST_METHOD'];
  1. defining specific file(s) / function(s) for your public-facing uri's ("routes"):
$routes = [
  'english/welcome'=>[        //this is the public uri that you want users to see
     'GET' => [               // when request to english/welcome is a GET request 
        'controller' => welcome.blade.php,  // the file access at english/welcome
        'action' => welcome   // the desired function in that file to handle GET requests
      ],
      'POST' => [             //when request to english/welcome is a POST request
        'controller' => Foo.php,  //can be same file or different file
        'action' => baz       // specific function to handle POST requests (form submissions) to that url
      ]
   ]
]
  1. Calling the function (which for a view probably return an html string):
$controller = $routes['controller'];
$action = $routes['action'];

$view = $controller->$action();
echo $view;

A link to your welcome script would now be <a href="example.com/english/welcome">. Clicking it would make a GET request that calls public function welcome() within your file welcome.blade.php.

Note: defining functions as public, private and protected also adds a lot of security. Only functions that you define as "public" can be called from from GET or POST requests (i.e. private and protected must be called from within the same/extended class).

Most files should have permissions set to 644 unless you have a specific need to set them to anything else.

  • Related