Secure direct access of cron.php file from the browser

By: Jignesh Baldha, Jun 3rd, 2018 # Magento # How to

Secure direct access of cron.php file from the browser - Aureate Labs

Magento forbids calling the Cron manually from the browser by default from htaccess if you are using Apache webserver.

## Deny access to cron.php
<Files cron.php>
############################################
## uncomment the lines below to enable cron access with base HTTP authorization
## http://httpd.apache.org/docs/2.2/howto/auth.html
##
## Warning: .htpasswd file should be placed somewhere not accessible from the web.
## This is so that folks cannot download the password file.
## For example, if your documents are served out of /usr/local/apache/htdocs
## you might want to put the password file(s) in /usr/local/apache/.
        #AuthName "Cron auth"
        #AuthUserFile ../.htpasswd
        #AuthType basic
        #Require valid-user
############################################
        Order allow,deny
        Deny from all
</Files>

To run Cron directly from the browser, we would have to update .htaccess file before calling the "yoursite.com/cron.php" URL from the browser.
For that, you need to comment out these two lines below:

#Order allow,deny
#Deny from all

What is important here is that if you don’t secure cron.php file using HTTP authorization, any user could potentially run Cron by requesting the "http://example.com/cron.php" URL to attack your Magento application.
From the security perspective, it's very important to uncomment these lines after generating the .htpasswd file:

AuthName "Cron auth"
AuthUserFile ../.htpasswd
AuthType basic
Require valid-user

There are many online tools available to easily generate .htpasswd.

Just be sure about the path of the .htpasswd file. We can easily find the path of the .htpasswd file using the pwd command from the directory where the .htpasswd file is placed using the console.

It's important to place the .htpasswd file somewhere that is not accessible from the web. This is so that folks cannot download the .htpasswd file.

Sometimes developer skips this HTTP authorization step which allows any third party to access the cron.php file directly from the URL.

Cheers!