Secure Web Files
Introduction
Goal
Configure which web files are publicly accessible.
Background
Web files are static resources used by the web application. Some must be publicly accessible so the browser client can use them to render a web page, e.g. CSS and Javascript files. Others, such as Freemarker templates, are only used server-side and should be secured from public access. Which web files are publicly accessible is configured through a whitelist.
Whitelisting of Web Files
Which web files should be publicly (http/https) accessible is configured through a whitelist. This is a file called hst-whitelist.txt located in the bundle's root directory. When the bundle's root directory is site, the whitelist is located in the project at
+ bootstrap + webfiles + src + main + resources + site + hst-whitelist.txt
Projects created using the Maven archetype contain a default hst-whitelist.txt that grants public access to the folders css/, fonts/ and js/. The default contents of hst-whitelist.txt are:
########################################################################## # # # This file must contain all files and folders that # # must be publicly available over http. Typically folders # # that contain server side scripts, such a freemarker # # templates, should not be added as they in general should # # not be publicly available. # # # # The whitelisting is *relative* to the 'web file bundle root' # # which is the folder in which this hst-whitelist.txt file is # # located. # # # # Examples assuming the web file bundle root is 'site': # # # # css/ : whitelists all descendant web files below 'site/css/' # # common.js : whitelists the file 'site/common.js' # # # # Note that the whitelisting is 'starts-with' based, thus for # # example whitelisting 'css' without '/' behind it, whitelists all # # files and folders that start with 'css' # # # ########################################################################## css/ fonts/ js/