How to Hide Config Files from Direct Access

How to hide config files from direct access?

You're using wrong web server configuration. Point your web server to a public directory and restart it.

For Apache you can use these directives:

DocumentRoot "/path_to_laravel_project/public"
<Directory "/path_to_laravel_project/public">

For nginx, you should change this line:

root /path_to_laravel_project/public;

After doing that, all Laravel files will not be accessible from browser anymore.

How can i deny direct access from url to all php file and some html in my server folder using htaccess?

Create/edit the .htaccess file in the directory where the files are located.

For denying all direct access to all files in the directory, add this:

Deny from all

For restricting only a specific file:

<Files "register.html">
Order Allow,Deny
Deny from all
</Files>

For restricting specific file types, you need to edit the .htaccess file in the webroot folder. This rule will deny access to all .php and .html files in myFolder and its subdirectories.:

RewriteRule ^myFolder/.*\.(php|html)$ - [F,L,NC]

More examples on denying access to file types: https://stackoverflow.com/a/20489058/6817376

How to prevent a file from direct URL Access?

Try the following:

RewriteEngine on 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC] 
RewriteRule \.(gif|jpg)$ - [F]

Returns 403, if you access images directly, but allows them to be displayed on site.

Note: It is possible that when you open some page with image and then copy that image's path into the address bar you can see that image, it is only because of the browser's cache, in fact that image has not been loaded from the server (from Davo, full comment below).

Prevent direct access to a php include file

The easiest way for the generic "PHP app running on an Apache server that you may or may not fully control" situation is to put your includes in a directory and deny access to that directory in your .htaccess file. To save people the trouble of Googling, if you're using Apache, put this in a file called ".htaccess" in the directory you don't want to be accessible:

Deny from all

If you actually have full control of the server (more common these days even for little apps than when I first wrote this answer), the best approach is to stick the files you want to protect outside of the directory that your web server is serving from. So if your app is in /srv/YourApp/, set the server to serve files from /srv/YourApp/app/ and put the includes in /srv/YourApp/includes, so there literally isn't any URL that can access them.

Nginx: Prevent direct access to static files

You can use nginx referer module: http://nginx.org/en/docs/http/ngx_http_referer_module.html.
Something like this:

server {
    listen 80;
    server_name website.com;
    root /var/www/website.com/html ;
    location /assets/ {
        valid_referers website.com/ website.com/index.html website.com/some_other_good_page.html ;
        if ($invalid_referer) {
            deny all;
        }
    }
}

This config guard assets directory. But remember, that not guaranteed and worked only for browser - any body can emulate valid request with curl or telnet. For true safety you need use dynamic generated pages with dynamic generated links.

You do not need to create the variable $invalid_referer as this is set by the nginx module.

deny direct access to a folder and file by htaccess

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.

How to forbid direct access to website directories in browser url, but allow when website requests them internally?

just use .htaccess file
Put the following line into your .htaccess file

Options -Indexes

---

Related Topics