Restricting Apache Access Through Facebook


I'm deploying a facebook app and I'm wondering if there's anyway of restricting Apache access to the context of the app. That is, disallowing access to the files outside the actual running of the app.


5 Replies

Apache will serve only the files in and under its DocumentRoot, which is configurable globally or per virtual host. You can also restric access to individual dirs under DocumentRoot.

Thanks for taking the time to answer my question.

Perhaps, though, I didn't make myself clear.

I have a facebook app that consists of a Flash client and some other files. I have the delivery of these already working under Apache.

Now, here's the gist of my question: a facebook app runs inside of an iframe in facebook, and I wanted to know if it were to possible to restrict access to my app so that people running the app inside facebook could access the client and other files while restricting access outside of the scope of the facebook iframe.

Maybe check if the referrer tag is facebook? Or include code in the Flash app that verifies it's inside the Facebook iFrame? What you ask is impossible for Apache to do securely; even if you check the referrer tag, that can easily be spoofed.

Oh, you're asking to make the app available only through FB canvas. Well, one way would be to use referer and do some RewriteCond magick based on the HTTP_REFERER variable. But that's not 100% reliable, can be spoofed.

Another way would be app specific with a none token set per client instance (which you verify via POST only valid signed_request payload), or even hardcoded in the flash app. But even that can be spoofed.

Edit: Ah, guspaz beat me to it :)


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct