deny direct access to a folder and file by htaccess
Solution 1
I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can include them in php without any problems.
Solution 2
This is pure mod_rewrite based solution:
RewriteRule ^(includes/|submit\.php) - [F,L,NC]
This will show forbidden error to use if URI contains either /includes/ or /submit.php
Solution 3
It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:
<Files ~ "^.*">
Deny from all
</Files>
<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
Allow from all
</Files>
Solution 4
1 liner mod_alias based solution :
RedirectMatch 403 ^/folder/file.php$
This will show forbidden error for /folder/file.php
Solution 5
If I understand correctly you just want to deny access to the includes folder?
An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.
Imrul.H
I am a Web Application Developer at Designcontainer, Oslo. I work with HTML, CSS, JS, PHP and Python.
Updated on June 04, 2020Comments
-
Imrul.H almost 4 years
Here is the scenario:
- There is a
index.phpfile in root folder - some files are included in
index.phpwhich are in theincludesfolder. - 1 other file (
submit.php) is in the root folder for form submit action.
I want to restrict direct user access to the files in
includesfolder by htaccess. also forsubmit.php. But include will work forindex.phpfile. Like, if user typeswww.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page). - There is a
-
Chaitanya Chandurkar about 11 yearsWill other file be able to make ajax request to the file present in that folder?
-
jeroen about 11 years@ChaitanyaChandurkar No, an ajax request is a normal http request so that will be denied.
-
CTS_AE over 9 yearsGood job addressing the submit file
-
PhatHV over 8 yearsSr b/c I new web programming. How can I add an exception for access to my file index.php?
-
Aamir almost 8 yearsI used deny from all and it restricted every url..not even showing login page.. :( -
jeroen almost 8 years@Aamir That is correct, no url in that folder will be accessible but you can include them in other files without any problems.
-
Aamir almost 8 yearsI want to deny access to particular directory to show list of files in it in the browser. For example, If I go to the url, localhost/myproject/assets, it will show all the list of files in it, I want to deny that. And also if logged in user access specific file in it, for ex : localhost/myproject/assets/uploads/img/1.jpg then it should be accessible. Also how to deny access to a localhost/myproject/assets/uploads/img/1.jpg if that 1.jpg is uploaded by some other user. stackoverflow.com/questions/37874618/…
-
bytecode77 almost 8 years+1 - This is actually very good, because no one can even see which files exist if you apply 404 to an entire folder, using regex
^folder. -
Moxet Khan almost 8 yearsI am not sure about the one who posted the question whether his problem solved or not, but this is the beauty of SO that multiple answer can help lots of members. This last answer resolved my issue. I want to let sites get css file but no access to ttf or otf fonts, and boom! resolved. -
Gintare Statkute almost 7 yearsafter this i am not abel to access files in subfolders
-
HOY over 3 years@ChaitanyaChandurkar, if you modify .htaccess like this, then ajax requests are possible. The following is 4 lines: SetEnvIfNoCase X-Requested-With XMLHttpRequest ajax Order Deny,Allow Deny from all Allow from env=ajax
