Block direct access to a file over http but allow php script access

permissions php apache

Solution 1:

The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.

However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,

Order deny,allow
Deny from all

Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.

Solution 2:

That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccess file on root. (no need to create extra folder)

<Files ~ "\.ini$">
  Order allow,deny
  Deny from all
</Files>

my settings.ini file is on the root, and without this code is accessible www.mydomain.com/settings.ini

Solution 3:

in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives. 

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

to test your config before restarting apache

service httpd configtest

then (graceful restart)

service httpd graceful

Solution 4:

Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.

Solution 5:

If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccess file in the specific directory. That is (for example):

ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>

Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.

This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccess files.

Related

Read committed Snapshot VS Snapshot Isolation Level
Error: invalid operands of types ‘const char [35]’ and ‘const char [2]’ to binary ‘operator+’
What is the equivalent of @autoreleasepool in Swift?
Getting quotation marks to the bottom of a line
How to deactivate iPhone USB tethering when OSX is connected to a wireless network
Adding a Google account for calendar purposes on iOS 8.3
How to make inactive when I close application window by Command + W
How can I delete offensive emojis on my iPhone keyboard
How can I make Siri use non apple apps? [duplicate]
How can I get OS X El Capitan and watchOS and iOS 9 without being a developer?
Remove a language from the "Preferred language order"
Starting and stopping mysql server. Shorten and make automatic