Block direct access to a file over http but allow php script access

Asked 21/4, 2010 at 0:4 Answered 16/2, 2019 at 19:48

I'm loading my files (pdf, doc, flv, etc) into a buffer and serving them to my users with a script. I need my script to be able to access the file but not allow direct access to it. Whats the best way to achieve this? Should I be doing something with my permissions or locking out the directory with .htaccess?

Riess answered 21/4, 2010 at 0:4 Comment(1)

take a look at this https://mcmap.net/q/266260/-allowing-video-to-be-played-in-lt-video-gt-element-from-my-website-but-not-allowing-it-through-direct-link/2441637 – Proffitt 13/5, 2017 at 15:19

The safest way is to put the files you want kept to yourself outside of the web root directory, like Damien suggested. This works because the web server follows local file system privileges, not its own privileges.

However, there are a lot of hosting companies that only give you access to the web root. To still prevent HTTP requests to the files, put them into a directory by themselves with a .htaccess file that blocks all communication. For example,

Order deny,allow
Deny from all

Your web server, and therefore your server side language, will still be able to read them because the directory's local permissions allow the web server to read and execute the files.

Predilection answered 21/4, 2010 at 0:29 Comment(9)

i have used this inside audio folder but it is stoping my audio player to play audio. I am using sound manager 2 to play audio. Is there any work around to allow only sound manager to play that audio file but stop anyother direct access? – Bogtrotter 29/7, 2013 at 6:7

@Bogtrotter - You can white list certain IPs to be able to access these directories. For example, adding a new line with Allow from 127.0.0.1 will allow your server, including any server side code, to access files in that directory. More documentation on these bits is available at httpd.apache.org/docs/2.4/mod/mod_access_compat.html#allow – Predilection 30/7, 2013 at 16:38

"However, there are a lot of hosting companies that only give you access to the web root." Why can't those companies put the web root one level lower than the FTP root? Do they have zero knowledge of how PHP works (or rather is it an oversight which is more likely) or do they only care about their own security and money? Oh well, just pick a company that actually gives a damn about your website's security. – Hessite 30/3, 2017 at 4:58

I tried this, but am not able to open the files after they download: failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden – Intend 14/9, 2017 at 16:34

@SamBisbee, How safe is "put them into a directory by themselves with a .htaccess file that blocks all communication"? – Eringo 21/11, 2017 at 11:31

Not work when we try to access from php script. you have any code how to access that file – Cati 2/1, 2018 at 6:1

If I add this to .htaccess file in the folder where the javascript files are located, the website stops running javascript code. How to make .js files runnable by php script but still prevent being viewed from the browser? – Hagler 14/1, 2019 at 14:36

@ÖmerAn Unless you're doing something incredibly funky with your javascript, it has to be executed in the browser, not by PHP, and so it needs to be visible to the browser. – Arrio 6/7, 2021 at 8:27

@DarwinvonCorax I guess I am doing something incredibly funky. – Hagler 7/7, 2021 at 11:14

That is how I prevented direct access from URL to my ini files. Paste the following code in .htaccess file on root. (no need to create extra folder)

<Files ~ "\.ini$">
  Order allow,deny
  Deny from all
</Files>

my settings.ini file is on the root, and without this code is accessible www.mydomain.com/settings.ini

Subjoinder answered 21/3, 2012 at 7:13 Comment(0)

in httpd.conf to block browser & wget access to include files especially say db.inc or config.inc . Note you cannot chain file types in the directive instead create multiple file directives.

<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>

to test your config before restarting apache

service httpd configtest

then (graceful restart)

service httpd graceful

Potion answered 12/1, 2016 at 12:2 Comment(0)

Are the files on the same server as the PHP script? If so, just keep the files out of the web root and make sure your PHP script has read permissions for wherever they're stored.

Dimphia answered 21/4, 2010 at 0:7 Comment(0)

If you have access to you httpd.conf file (in ubuntu it is in the /etc/apache2 directory), you should add the same lines that you would to the .htaccess file in the specific directory. That is (for example):

ServerName YOURSERVERNAMEHERE
<Directory /var/www/>
AllowOverride None
order deny,allow
Options -Indexes FollowSymLinks
</Directory>

Do this for every directory that you want to control the information, and you will have one file in one spot to manage all access. It the example above, I did it for the root directory, /var/www.

This option may not be available with outsourced hosting, especially shared hosting. But it is a better option than adding many .htaccess files.

Stephine answered 22/1, 2014 at 20:44 Comment(0)

To prevent .ini files from web access put the following into apache2.conf

<Files ~ "\.ini$">
Order allow,deny
Deny from all
</Files>

Sediment answered 7/4, 2018 at 5:28 Comment(0)

How about custom module based .htaccess script (like its used in CodeIgniter)? I tried and it worked good in CodeIgniter apps. Any ideas to use it on other apps?

<IfModule authz_core_module>
    Require all denied
</IfModule>
<IfModule !authz_core_module>
    Deny from all
</IfModule>

Krasnodar answered 16/2, 2019 at 19:48 Comment(0)

Recommended topics

Hot tags