Ellie Jane

Veteran
Veteran
Joined
Mar 17, 2012
Messages
762
Reaction score
1,511
First Language
English (UK)
Primarily Uses
RMMV
By default when you launch your game in a web browser, your game is very hackable just by manipulating the url. Take this (live) example:


http://afar.ws/client/img/pictures/


This is a standard feature of a lot of web servers. Basically as the folder has no index file, this page serves as a directory of everything in that folder. That means if somebody wanted to download the graphics to your game they immediately could.


Worse still, the same applies to all of the folders in your game, including your precious /data/.


What is the solution?


There isn't an awful lot you can do. In order to function your game needs access to these folders on the fly. But what you can do is create your own index files.


Ever wonder why homepages of websites are called index files? Basically they serve as a replacement to the directory you see above, giving in theory their own directory, constructed by the user however they want it.


What protection does this provide?


While all files are still accessible if you know or can guess the URLs, you cannot just go to a directory such as the link above and get a list.


The main protection however is that you can provide a message on this page.


The best defense against hackers can be simply to intercept where they're going to hack and... well... ask them not to. Perhaps put a credits list here and say if they want anything in the game they can ask you what you did, or where to find it. Consider why somebody is hacking and work partially with them. They've done a bad thing, but they might be doing it for dubiously good reasons, just a little misguidedly.


How do I set up an index file?


By default, your web server will see any file called index.html as the index file. You can change this with a .htaccess file but that is unnecessary.


You will need one file (or a duplicate) in every directory in your game except the root.


Just create a html file called index.html, a simple example is below.


<html>
<head>
<title>Index File</title>
</head>
<body>
<p>You hack me good sir? A plague on BOTH your houses!</p>
</body>
</html>


Considerations


Never, ever assume your player is a hacker. Mistakes happen. Things go wrong. Somebody will inadvertently end up on your index page by mistake. Always plan around the idiotic, the msfortunate, and the simple error. If you're writing a message to a would-be hacker, always have a caveat that you might have got it wrong.


Never replace your index.html file on your game itself, that is, the one in your base directory. Your game needs this to run. Always back up files before uploading any index.html files as it is such a common name that mistakes will happen and you will end up overwriting something important from time to time... trust me on that one.


Is there a simpler way?


Yes. Your web server itself can be set up not to show directory listings at all. This however requires editing your config files, which is something that a lot of users (on shared hosting, for example) will not have access to.


Example Number 2


Here is a protected directory on the same website:


http://afar.ws/client/img/animations/
 
Last edited by a moderator:

EternalShadow

Veteran
Veteran
Joined
Sep 16, 2012
Messages
5,781
Reaction score
1,042
First Language
English
Primarily Uses
This says to create an index HTML file but not where to put it, if not your main directory... I am assuming in each sub folder, but this may be presumptuous. 
 

Seriel

Veteran
Veteran
Joined
Aug 16, 2014
Messages
3,013
Reaction score
504
First Language
English
Primarily Uses
Other
Is there a way to prevent a user from putting in the url of a file to find it (Even if there is an index so they can't get a list)
For example http://jackus.ml/TempJourn/img/tilesets/Dungeon_A1.png


Only problem I can see would be that the game needs to access the file so you need some way for a user to not be able to "hack the url" while also letting the game access the file.


Is that possible?


Edit:
Or using your site as an example while you have blocked /img/animations, I can still go to http://afar.ws/client/img/animations/Absorb.png
 
Last edited by a moderator:

Ellie Jane

Veteran
Veteran
Joined
Mar 17, 2012
Messages
762
Reaction score
1,511
First Language
English (UK)
Primarily Uses
RMMV
You can, using .htaccess and {HTTP_REFERER}, but in my experience it can easily false flag things, so I am not sure it's good to use it. It relies on the web browser sending the right referer.


http://stackoverflow.com/questions/6023941/how-reliable-is-http-referer


"Using HTTP_REFERER isn't reliable, it's value is dependent on the HTTP Referer header sent by the browser or client application to the server and therefore can't be trusted." - stackoverflow


Therefore while there's a way to do it, it can and will break unfortunately. And you never want to accidentally block legitimate users.

This says to create an index HTML file but not where to put it, if not your main directory... I am assuming in each sub folder, but this may be presumptuous. 



Sorry yes, you will need one in each sub directory.
 
Last edited by a moderator:

??????

Diabolical Codemaster
Veteran
Joined
May 11, 2012
Messages
6,548
Reaction score
3,302
First Language
Binary
Primarily Uses
RMMZ
I would say that making the page redirect to a 404 error would be much better. That way it seems as though the folder doesn't even exist. Having the index page show up is basically admission of the folders existence. :)

Also, Rm games are soooooooooooooo hackable. It literally took us a few hours of the initial mv demo game being released and we had a FULL MV codebase. Literally everything except the editor. Having an index file in each folder wouldnt have stopped that in the slightest.

With that said, I think this is a reasonable deterrent for those who are just casually trying their luck with urls.

Also, depending on how you obtain your web server, and how you maintain it, you might already have better means of protection in place.. :D  
 

Latest Threads

Latest Posts

Latest Profile Posts

I have an idea, I am making low polygon 3D resources for a package in itch. but it occurred to me that I could export these as images and make MV / MZ compatible tilesets. What do you think of this?
I hate seeing threads where less-experienced user's ask for an opinion of their project, and the thread is full of negative feedback by others who are clearly not the target audience. I feel bad for the OP, and I hope they understand that no game can appeal to everyone. :frown:
Hm, just found out I can't use loops, yay.
-Ele
I just wanna Covid to be over and I have my normal life back... Feeling so bad these days, what can I do?

Forum statistics

Threads
109,074
Messages
1,041,867
Members
141,571
Latest member
1a23z11
Top