Home
Software
Support
Tips
Purchase
Free Stuff
Company
Resources

Merchant Tips

Server Configuration

Are you aware that your Miva Merchant Script directory is open for viewing by anyone on the Web?

On a properly configured server, this is not a problem because the Miva Script files (those with an .mv extension) will be executed by the Miva Engine rather than displayed in a Browser as source code.

However, see if any of the following apply to you:

  1. You save every release of Merchant and rename the older source files with an extension such that the files no longer end with .mv.
  2. You are a Merchant Developer and you store the various versions of your modifications on your Web server in the Merchant directory. You give these modified files extensions other than .mv.
  3. You are a Merchant Developer that documents every change that is made to a Merchant source file and your documentation includes the source code changes that should be made. You store this change log in your Merchant directory with a .doc or .txt extension.
  4. You store data such as User ID's and Passwords in your Merchant directory.
  5. You store download instructions or other such information in your Merchant directory.
  6. You simply do not want people poking around in your Merchant Script directory.

If you answered Yes to any of the above questions then you need to protect your Merchant Directory from prying eyes.

Note that a Merchant Script directory is not the same as a Merchant Database directory.

On a properly configured server, the Database files are stored outside of your Document Root (which means they will not be accessible by anyone using a Web Browser). The Merchant Script directory is, however, a directory inside of your Document Root and it contains the Merchant Script files as well as the graphic files that power your Store.

Is your Merchant Directory Secure?

If you are like most Merchant users, your Merchant Script directory is called Merchant2 and is located off of your Document Root directory.

Example:

Your Web site is http://www.myweb.com/

Your Merchant directory would then be:

http://www.myweb.com/Merchant2/

Browse to your Web Site and then append /Merchant2/ to the Address or Location of your site:

If, for example, your site is:

http://www.myweb.com

append

/Merchant2/

so that you end up with

http://www.myweb.com/Merchant2/

substitute "myweb.com" with your own domain name and substitute "Merchant2" with the directory name where Merchant is installed (in most cases this will be Merchant2).

Are you able to see the Merchant files and all of the Merchant sub-directories? If Yes, then your Merchant directory is not secure. If you received a 404 Error ("File not Found") then you didn't type the URL to your Merchant directory correctly. On Unix boxes, case is significant ("Merchant2" is different from "merchant2"). If you received a 403 Error ("Not Authorized"), then you are in good shape but you should check the Merchant sub-directories and make sure you can't look inside of them as well.

Protecting your Merchant Script Directory

The easiest way to protect your Merchant Script directory from prying eyes is to place an index.html (or index.htm) file in the Merchant directory. The WEB Server will automatically display this file instead of showing a directory listing if the file does not exist. The index.html file can be simple or elaborate. The goal is to tell the user that they are not authorized to view the directory listing.

The above method will protect only the base Merchant Script directory. It does nothing to protect any sub-directories. For instance, users may not be able to view the contents of your Merchant2 directory, but there is nothing to stop them from looking inside of your Merchant2/modules directory where there are at least 13 other sub-directories.

When using this method, you need to place a dummy index.html file in each Merchant2 sub-directory.

Apache Configuration

If your Web Site is hosted on a Server that uses Apache, then you can protect your Merchant Script directory very easily, without using fake index.html files.

There are two methods: Server Configuration and .htaccess Configuration.

Server Configuration

If you have access to your Apache Configuration file, this is the best choice. Add the following to your httpd.conf file:

<Directory /mydocroot/Merchant2>
Options -Indexes
</Directory>

Replace "mydocroot" with your Document Root directory. Replace "Merchant2" with the name of your Merchant Root directory.

What the above configuration directive does is to turn off Directory Indexing for the Merchant2 directory (and all of its sub-directories).

.htaccess Configuration

If you are hosted on an Apache Server but do not have access to the Server Configuration files, you can probably control the server indirectly by placing an .htaccess file in the directory you wish to control.

Create a text file called .htaccess with the following line:

Options -Indexes

Note the dot (.) at the front of the file name. In Windows parlance, .htaccess is actually a file name extension with no file name. Windows will not allow you to create this file directly but it will allow a Text Editor or other program to create it. Under Unix, this is a special file (denoted by the dot) and is what Windows calls a "system file". The dot is important.

To create this file with Notepad: Open Notepad, copy the following line, and then paste it into the Notepad window:

Options -Indexes

Make sure the line starts flush left. You do not want any leading spaces.

To save the file, select File, Save As. Make sure the "File name" is .htaccess and that the "Save as type" drop down list is set to "All Files".

Upload this file via FTP to your Merchant directory in ASCII format. Your FTP program will probably want to upload it in Binary format. Change the FTP upload options and make sure this file goes up as ASCII and not Binary.

This one single configuration file will prevent a directory listing of your Merchant Script directory as well as its sub-directories.

You may place this .htaccess file in any directory where you do not want the Apache server to show a directory listing if it is unable to find an index.html (or index.htm) file. The directive will apply to the directory where the .htaccess file resides as well as all sub-directories.