A malicious user could try to access API hosting server by fragmenting Rails API URL such ashttp://nraj.blog.com/v1/blog/posts.json in the following ways –
- http://nraj.blog.com – gives a nice apache test page
- http://nraj.blog.com/v1 – shows directory listing of v1
- http://nraj.blog.com/v1/blog – shows another nice index page
Act on these default settings, show either none or 403 – forbidden message for each of the above scenarios –
- http://nraj.blog.com– Comment out the contents of /etc/httpd/conf.d/welcome.conf
- http://nraj.blog.com/v1- In apache config file, in the directory listing, give -Indexes as options like so –
<Directory “/var/www/html”>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
- http://nraj.blog.com/v1/blog – Match root to a function which will redirect to 403. Now create this function in some controller and not application controller as routes cater to specific controllers only and not to global application controller.
routes.rb – match ‘/’ => ‘posts#root_page’
Define posts controller > root_page function as –
def root_page
render :nothing => true, :status => 403
respond_to do |format|
format.html { head :forbidden }
format.json { head :forbidden }
end
end
This takes care of all unauthorized access to the API URL parent directories
PS: You could also try your hand at URL rewriting to achieve any of the above targets. A good resource for URL Rewriting – http://borkweb.com/story/apache-rewrite-cheatsheet