[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


htaccess rewrite to prevent direct file access

Posted on 2013-06-26
Medium Priority
Last Modified: 2013-09-11

I have a website, let's call it "www.somewhere.com"

This website has a directory called "orderuploads" into which people can upload files using my website.

These uploaded files must only be accessible by one URL   "www.somewhere.com/uploadorders.php"

Accessing the uploaded files directly like "www.somewhere.com/orderuploads/image.jpg" via a browser must be prevented.

From what I can gather, htaccess must be used with a rewrite but can someone please provide the necessary code?

Thanks in advance
Question by:kbit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39277542
You can put the .htaccess file in the folder with following lines:

order deny,allow
deny from all

Open in new window

Or if you want to allow access to certain files:

<FilesMatch "\.(gif|jpe?g|png)$">
    Order Allow,Deny
    Allow from all 
    Satisfy Any

Open in new window

You might need to play around with the order of "Allow,Deny" depending on the use.
"Order Deny,Allow" means that the deny rules are processed before the allow rules and vice versa.

Author Comment

ID: 39277565
Thanks for those suggestions.

I tried

order deny,allow
deny from all

Open in new window

and it nicely prevents the direct access but it also prevents the file being opened/downloaded via "www.somewhere.com/uploadorders.php". I need the latter
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39277590

Since I can't test... Something like this maybe?

RewriteCond %{HTTP_HOST} ^xxx\.com$
RewriteRule ^$ http://www.xxx.com/index.php [R=301,L] 

RewriteCond %{HTTP_REFERER} !^http://(www\.)?xxx\.com/ [NC] 
RewriteRule ^_files/uploadorders/[^.]+\.(jpe?g|gif|bmp|png)$ - [F,NC]

Open in new window

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39277607
That allows the file to be accessed directly and also using the website
LVL 25

Expert Comment

by:Zephyr ICT
ID: 39277646
It's difficult without testing, I'm not doing htaccess editing all time :-)

What if we take the first one again but amend it like this:

Order Deny,Allow
Deny from all
Allow from

Open in new window

I'll keep scratching my brain.

Author Comment

ID: 39277708
Thanks for your help.

The more I think about it the more I think it might not be possible.

For example, there may not be any difference between accessing a file directly using a URL and accessing it through the website, they're still under a domain (

A better way might be for me to add an index file to the folder preventing file listings. Then when the files are being uploaded, disguise their names. So instead of "logo.jpg", use "logo_20130626125312.jpg" which would be yyyymmddhhmmss
LVL 25

Accepted Solution

Zephyr ICT earned 2000 total points
ID: 39277806
Another option might be to server the page through php and control it through there... Just thinking along.

Assisted Solution

kbit earned 0 total points
ID: 39287983
Tough one, might be better to close this question and I'll run with the idea I mentioned?

Thanks for your suggestions though.

Author Closing Comment

ID: 39482512
I only got two of the suggested ideas to work...one idea proposed by spravtek, one by me

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question