deny direct access to a folder and file by htaccess

regex mod-rewrite php apache .htaccess

Here is the scenario:

  • There is a index.php file in root folder
  • some files are included in index.php which are in the includes folder.
  • 1 other file (submit.php) is in the root folder for form submit action.

I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file. Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).


I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.


This is pure mod_rewrite based solution:

RewriteRule ^(includes/|submit\.php) - [F,L,NC]

This will show forbidden error to use if URI contains either /includes/ or /submit.php


It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:

<Files ~ "^.*">
  Deny from all
</Files>

<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
  Allow from all
</Files>

Related

Why does typeof array with objects return "object" and not "array"? [duplicate]
Fake DbContext of Entity Framework 4.1 to Test
How to invoke a Linux shell command from Java
C/C++ macro string concatenation
What's Mongoose error Cast to ObjectId failed for value XXX at path "_id"?
.toArray(new MyClass[0]) or .toArray(new MyClass[myList.size()])?
How to read pdf in my android application? [closed]
Polymorphic model binding
Using cookies with Android volley library
Javascript callback when IFRAME is finished loading?
Differences between std::make_unique and std::unique_ptr with new
What does it mean when an HTTP request returns status code 0?