After KCFinder installation it's recommended to do some security tasks.

Removing Unused Files

Web Server

KCFinder is designed to work with Apache compatible web servers. It uses .htaccess files to set some options about their folders. To get .htaccess files working the AllowOverride option should be set to all (into httpd.conf or relevant virtual host config file). For example:

<Directory /var/www/localhost/htdocs>
    AllowOverride all

Access Restriction

If you just set the disabled option to false into conf/config.php file, everyone who knows your KCFinder URL can manage the upload folder. You can restrict the access using the session from your web application user management. Be sure the disabled option into conf/config.php is set to true. More details are described here.

Upload Folder


There are two important settings about the upload folder: uploadURL and uploadDir. By default KCFinder is configured to use its own upload folder. To customize the URL to your custom upload folder you should change the uploadURL setting. By default uploadDir setting is empty string which means the KCFinder will try to detect the local path automatically. Change this setting in case the KCFinder cannot locate the local path. More details are described here.

Default .htaccess file

Default behaviour: If the .htaccess file is missing from the upload folder, KCFinder will create it copying the content of conf/upload.htaccess. If .htaccess file already exists into the upload folder, it will be verified. If the content is not identical to conf/upload.htaccess, the .htaccess file will be overwritten.

You can prevent this behaviour changing _check4htaccess setting to false.

It’s recommended to set _check4htacess setting to false and forbid web server to rewrite generated .htaccess. For example you can change the owner of the .htacess:

chown root:root /path/to/your/upload/folder/.htaccess
chmod 644 /path/to/your/upload/folder/.htaccess

The predefined settings in conf/upload.htaccess:

  • Turns off the PHP engine, preventing the execution of PHP scripts when the PHP is installed as apache module
  • Forbids the execution of any CGI script
  • Changes the mime type of the HTML files to text/plain, preventing execution of custom JavaScript code from uploaded HTML files