Mobile app version of vmapp.org
Login or Join
Berryessa370

: Make a file invisible remotely I have a PHP file that stores some connection info for part of my website. It is not "readable" from the Web, which is good. I.e. it is blank when you navigate

@Berryessa370

Posted in: #403Forbidden #Apache #Htaccess

I have a PHP file that stores some connection info for part of my website. It is not "readable" from the Web, which is good. I.e. it is blank when you navigate to it from the Web.

However, even if it is blank, I would rather the server return an 403 error message when people navigate to it. Can I use .htaccess to make the server return this error? What is the proper way to do this?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Berryessa370

2 Comments

Sorted by latest first Latest Oldest Best

 

@Speyer207

This can be easily done using Deny from all:

<Files "filetoblock.php">
Order Allow,Deny
Deny from all
</Files>


This will also issue a 403 status.

10% popularity Vote Up Vote Down


 

@Alves908

It is not "readable" from the Web


What you are seeing is the output after the PHP file has been processed. Since you are probably only setting some variables then there is no output, but it is still processed. If PHP should fail, or the file should get an error/corrupted then this could expose the PHP contents.

Ideally, you would simply put this file outside/above the document root. That way you don't have to do anything to block it from the public and will still be blocked should anything untoward happen (such as your .htaccess being accidentally deleted!).

To block this with mod_rewrite in .htaccess:

RewriteEngine On
RewriteRule ^file-to-block.php$ - [F]


The above should be placed near the top of your .htaccess file.

Note, however, that if you include another .htaccess file in a subdirectory, that also uses mod_rewrite, then this directive could be overridden.



However, it would be preferable to block (403) these files with mod_authz_host (Apache 2.2) or mod_authz_core (Apache 2.4). For Apache 2.2 see Simon's answer.

On Apache 2.4, using mod_authz_core:

<Files "file-to-block.php">
Require all denied
</Files>




Alternatively, to send a 404 Not Found instead of a 403 Forbidden, then you can modify the above mod_rewrite directive:

RewriteRule ^file-to-block.php$ - [R=404,L]

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme