asked on
how to prevent direct http requests via .htaccess
Hi X-perts,
I need to protect a few directories from direct http requests. Currently, I have the following .htaccess file in those directories:
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
It prevents from executing any php or asp files, but not from viewing .css or .js files. How can I protect those directories from viewing files?
I tried also:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]
<Files *.php,*.css,*.js>
Order Deny,Allow
Deny from all
</Files>
But it does not work.
Please, advise.
Thanks
Andy
I need to protect a few directories from direct http requests. Currently, I have the following .htaccess file in those directories:
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
It prevents from executing any php or asp files, but not from viewing .css or .js files. How can I protect those directories from viewing files?
I tried also:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]
<Files *.php,*.css,*.js>
Order Deny,Allow
Deny from all
</Files>
But it does not work.
Please, advise.
Thanks
Andy
ASP.NETPHPApache Web Server
Last Comment
ddrudik
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You can have .htaccess do a referer check. on the javascript and css files. If no referer is defined, then deny access.
ASKER
ddrudik, I have tried this and it really blocks all direct requests, but due to some reasons also blocks the site's own css links to the css files, if they are in the same folder as .htaccess file. It works ok, if i move css file to a subdirectory below. Why is that?
> but due to some reasons also blocks the site's own css links to the css files, if they are in the same folder as .htaccess file.
Blocking access to the CSS files in this manner also would block the site's use of them as well. No way around that.
>It works ok, if i move css file to a subdirectory below. Why is that?
Check for .htaccess files throughout your directory structure, for example Apache checks for .htaccess files starting at root of the site down to the folder in which the request was made to apply allow/deny commands in the .htaccess files.
Blocking access to the CSS files in this manner also would block the site's use of them as well. No way around that.
>It works ok, if i move css file to a subdirectory below. Why is that?
Check for .htaccess files throughout your directory structure, for example Apache checks for .htaccess files starting at root of the site down to the folder in which the request was made to apply allow/deny commands in the .htaccess files.
Try changing your second rule to:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com
Does that work?
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com
Does that work?
ASKER
no it does not, So far, the ddrudik's solution works, though it generates some odd restrictions to the root dir files
Thanks for the question and the points.