I have a master folder where I hold all of my resources such as js, css, images, etc. called /resources/.
In /resources/, I have php files I include on pages of my website, however, they're currently directly accessible if entered into the browser.
Is there a way for me to use .htaccess in that directory to prevent direct requests to any files of certain extensions such as PHP?
Hotlinking prevention isn't really what I'm looking for. I just need a way to kill any sort of direct request to these PHP files(in the /resources/ directory specifically) made by anything other than the website itself.
Any help is appreciated. Thank you very much.
Add a .htaccess in your /resources/ folder containing the following
<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>
It should prevent access to all .php files
Related
I am using laravel,
In browser If I directly give the URL as below :
http://....../resources/views/users/index.blade.php
It will show the page as below :
.
I can't show page to public as above image.
How can I block access to particular folder or files ?
You need to edit/create .htaccess file of the directory you want to prevent the direct access from people.
As per the solutions given here :
Solutions - 1
I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:
deny from all
That way you cannot open any file from that folder, but you can
include them in php without any problems.
Solution - 2
It's possible to use a Files directive and disallow access to all
files, then use it again to set the files that are accessible:
<Files ~ "^.*">
Deny from all
</Files>
<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
Allow from all
</Files>
Also, You can Refer to Article : How to Prevent a Directory Listing of Your Website with .htaccess
I know direct URL access can be prevented via .htaccess rules but I don't know much about meta-chars or escaping.
these are the files in my xammp/htdocs folder, accessed using
localhost:
index.php
createScheme.php
several someother.php
I want direct access to be enabled only for index.php and createScheme.php and all others pages should be blocked against direct access.
Please help!
This .htaccess file will only allow users to open index.php. Attempts to access any other files will result in a 403-error.
Order deny,allow
Deny from all
<Files "index.php">
Allow from all
</Files>
If you also want to use authentication for some of the files, you may simply add the content from your current file at the end of my example.
I want to be able to prevent people from accessing a file on a server, such as a document if they were to directly link to it via the URL. This is for security purposes so that documents on the site just can't be stumbled upon and downloaded...
What is the best approach for this?
I've tried using the .htaccess to deny access to docs and txts for examples, but you can still download the files it just prevents you from accessing the directory...which isn't what I want to do.
<Files ~ "\.(doc|txt)$">
order allow,deny
deny from all
</Files>
put it in a directory outside the public space and provide it via a custom PHP page which requires login or what you prefer
echo file_get_contents(/var/www/example.com/file.txt);
should works I guess
Try putting this in your .htaccess
<FilesMatch "\.(doc|txt)">
Order deny,allow
Deny from all
</FilesMatch>
The best thing to do is to not put it in the web server's document root in the first place.
You can in your .htaccess redirect all requests to files in that folder to a special PHP page that only allows logged in users to download the file but denies those unauthorized to access it.
Also it's a good idea putting the target file itself in a folder above public_html.
Apologies if my question is unclear, but I'm not quite up with the jargon. By 'resource directories' I mean my css, php scripts, images, javascript ect.
I used an .htaccess file in my images directory that contained
deny from all
to do this. Though this prevented people from typing "www.example.com/images" into their browser and accessing my images directory, the images stopped appearing on my website.
I assume this is because the .htaccess file is even denying my source code from accessing the images. How can I let my source code access directories? I also have a cron job running a php script every night. The cron job also needs to be allowed to access the scripts directory.
Also, is using .htaccess files even the best way to secure a site?
To prevent someone to view your images directory, you need to disallow Directory Listing.
http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
You cannot use deny from all, because nothing can be loaded from that directory from a web browser, so your images which you load with on your website won't load either.
Options -Indexes will disallow people to list files in your images directory. Please see http://viralpatel.net/blogs/htaccess-directory-listing-enable-disable-allow-deny-prevent-htaccess-directory-listing/
For securing data from being viewed by people who shouldn't you can use a authentication. You can setup a login field with htaccess, or script one with, for example PHP or python.
Login script with htaccess:
Script:
http://www.htaccesstools.com/htpasswd-generator/
Password file:
http://www.htaccesstools.com/htaccess-authentication/
You can prevent from accessing any directory you want:
Add this snippet in your httpd.conf file (you can find httpd.conf file here C:\wamp\bin\apache\apache2.4.9\bin)
<Directory "c:/wamp/www/directory_A/">
Options -Indexes
</Directory>
In this case you can access www directory but can't inside directory_A.
or
<Directory "c:/wamp/www/directory_A/uploads/">
Options -Indexes
</Directory>
In this case you can access 'directory_A/' directory but can't inside 'uploads/'.
I'm in a situation wherein I have file includes but I don't want other people going on the "includes" directory and viewing the pages individually via browser.
I'm quite familiar with how to approach it via inside the PHP files themselves but I want to use the .htaccess for preventing it this time.
So how do I configure .htaccess to prevent users NOT coming from a certain referrer from viewing the PHP files inside the "includes" folder?
.htaccess will work, but just to suggest an alternative - why not move your include directory outside the webroot? Your scripts can still access it, and there's no need to configure apache to deny access.
Put a .htaccess file in the directory you would like to not be viewed and put this in there:
order allow, deny
deny from all
This is the simple block all approach. More info on how to block by referer can be found here.
Hope this helps.
As lot of web hosting solutions explicitly limit you to working within the a public_html (or equiv) hierarchy. So I use a simple convention: if I don't want a file or directory to be private -- that is not accessible through a URI -- then I prefix its name with either a "_" or a ".", for example my PHP includes directory is called "_includes".
I use this pattern in my .htaccess files to enforce this:
SetEnvIf Request_URI "(^_|/_|^\.|/\.)" forbidden
<Files *>
Order allow,deny
Allow from all
Deny from env=forbidden
</Files>
You can use this approach, but modify the regexp to whatever suits your personal convention. One advantage is that it works with this template in your DOCROOT .htaccess file. You don't need to have .htaccess files in the restricted subdirectories.
:-)