How to restrict/forbid access to specific file types such as .js .css inside a .htaccess file?

apache .htaccess permissions
16,543

Solution 1

Your code looks pretty different from the code found here. What about trying:

<Files ~ "(.js|.css)">
Order allow,deny
Deny from all
</Files>

If you are using version Apache 2.4 or higher

<Files ~ "(.js|.css)">
   Require all denied
</Files>

Solution 2

Updating the FilesMatch in a apache2.conf will make this a global change without having to individually add it to all sites/virtual directories.

As a side note I suggest adding any files to the exclude list that could possibly hold configuration settings like .xml .ini .conf etc... This does not block the www-data user, it just keeps outside requests for those files from being served and displayed.

(Ubuntu 14.04 Apache2)

ORIGINAL:

    <FilesMatch "^\.ht">
            Require all denied
    </FilesMatch>

NEW:

    <FilesMatch "^\.ht|.js|.css">
            Require all denied
    </FilesMatch>

Solution 3

What you are trying to do will not work.

You need to allow unfettered access to your .css and .js files. If a user's browser can't request the style sheet or the javascript that makes the page tick, then the page won't work for them. (It will load; but it will look horrible because the request for the style sheet got turned down, and anything that relies on JavaScript won't work either.)

Share:
16,543
Perroquiet
Author by

Perroquiet

Updated on June 04, 2022

Comments

  • Perroquiet
    Perroquiet almost 2 years

    If the remote user knows the exact location of the file, he will still be able to access the file from a browser. How can someone find out about the location of the private file? well this doesn’t really matter too much, but he might see paths, or files, shown in a warning messages, or the files might be browsable (there is no hiding of the files in the directory indexes). So if there are ‘special files’ that you want to not be served in any case to remote users then you will have to deny access to them. But the question is HOW?

    Inside my .htaccess file in my webroot folder:

    <FilesMatch "\.(js|css)$">
Order deny,allow
Allow from all
</FilesMatch>

    But that doesn't seems to work.. :-(
    I'm using Apache 2.2

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I figure out what user & group Apache is running as?
Is it possible to change the $_SERVER['HTTP_HOST'] in htaccess?
Mod_rewrite on WAMP 2.4
RewriteCond not working on force https for HTTP_HOST
.htaccess in Subfolder not working
How to setup ssl using only .htaccess file
Allow access to all files from only 1 IP address and redirect all others to other file
header expire on javascript files not working
mod_headers module does not load, though it's enabled in httpd.conf
file_put_contents php permissions