Comments on: Can I make this secure?

Question: Can I make this secure?

Ignatius J. Reilly — Sun, 23 Mar 2008 19:54:06 -0800

Is there an easy way for a non we-savvy person to create a password-protected url on which to demo a website before taking it "live?"

I have had an outside contractor develop a website for a client, and I want to be able to demo the site securely before taking it live. If I buy a domain and pay for hosting, is there an easy way that I make it require a password to view any web pages that are hosted there?

By: Fuzzy Skinner

Fuzzy Skinner — Sun, 23 Mar 2008 20:00:47 -0800

Many, if not most, web hosts allow the ability to password-protect a directory. The web hosting control panel should have a tool for this.

By: Ky

Ky — Sun, 23 Mar 2008 20:09:55 -0800

An easier method without the use of username/password is to first protect the main domain with an INDEX so that subdirectories can't be viewed. Then you can create a subdirectory with a long, unguessable name that only people who know the URL can view.

Example:

http://www.yourdomain.com/testsitefor2008blah

In www.yourdomain.com, you would place a blank INDEX file such as index.html:

<html><head><title>This is a blank index.</title>
</head><body></body><html>

How this works: All browsers look for a default index file (e.g. index.php or index.html or index.htm, etc.). If you create a blank HTML file with an index name, the user can surf to yourdomain.com but only sees a blank page. Without links going anywhere, and without knowing the exact name of your custom subdirectory, no one can possibly find it (so long as you really don't link it anywhere, such as posting to a forum).

Just remember to delete the custom subdirectory when the site goes live, along with the blank INDEX page.

By: Ky

Ky — Sun, 23 Mar 2008 20:16:50 -0800

I should note that if you wanted everything absolutely ready for quick publishing, then using the web host's online services for password protection certainly is the best way since you need only remove the password with the online tool. Be sure that the host you pick has the service, though, otherwise you may need to edit .htaccess files (on Apache servers).

The blank-index trick is useful for testing specific pages if you're not worried about the time it takes to reupload an entire site to the main domain.

By: twiggy

twiggy — Sun, 23 Mar 2008 23:03:15 -0800

Just to clarify a minor thing from Ky that may sound nitpicky, but matters...

It's not browsers that look for a default index file. It's the webserver that looks for that.

The reason this is relevant is that you can't just go through the list of possible index files (index.htm, index.html, index.php, index.asp) and expect that a browser will look for all of them and find whichever one you create. You'll need to know from your webhost what default index filenames are set up there to take advantage of this.

By: Pronoiac

Pronoiac — Mon, 24 Mar 2008 01:52:43 -0800

You might put the long URL into a subdirectory, & put the subdirectory into robots.txt as not-to-be-spidered. Instead of re-uploading, too, just move it if you have shell access.

By: inigo2

inigo2 — Mon, 24 Mar 2008 06:22:56 -0800

You might put the long URL into a subdirectory, & put the subdirectory into robots.txt as not-to-be-spidered.

It's my understanding (correct me if I'm wrong) that people sometimes look in the robots.txt specifically to find things that are hidden like that. As noted above, if you name the directory something unguessable, then it won't be spidered either. In theory. Password protecting is the safest bet.

By: Pronoiac

Pronoiac — Mon, 24 Mar 2008 10:18:49 -0800

Yes, if it shows up in robots.txt, it's sorta public, so put the random one another directory deeper within that don't-spider directory, if that's more clear.

By: SlyBevel

SlyBevel — Mon, 24 Mar 2008 10:18:55 -0800

The above, rephrased for those who are non-webby, such as Ted Stevens:

The Internet is a series of tubes. If you set up a page (one tube) with nothing else linking to it (other tubes), then there's no way for users to flow to your non-connected page. Unless someone accidentally finds your tube and makes connections for you.

So if you don't want your tubes connected to other tubes, hide them well. And don't let any cats in them.

By: Ky

Ky — Mon, 24 Mar 2008 11:25:43 -0800

Twiggy is absolutely right there. Sorry for the misinformation. :)