: Make a file invisible remotely I have a PHP file that stores some connection info for part of my website. It is not "readable" from the Web, which is good. I.e. it is blank when you navigate

@Speyer207

This can be easily done using Deny from all:

<Files "filetoblock.php">
Order Allow,Deny
Deny from all
</Files>


This will also issue a 403 status.

Vote Up Vote Down

@Alves908

It is not "readable" from the Web


What you are seeing is the output after the PHP file has been processed. Since you are probably only setting some variables then there is no output, but it is still processed. If PHP should fail, or the file should get an error/corrupted then this could expose the PHP contents.

Ideally, you would simply put this file outside/above the document root. That way you don't have to do anything to block it from the public and will still be blocked should anything untoward happen (such as your .htaccess being accidentally deleted!).

To block this with mod_rewrite in .htaccess:

RewriteEngine On
RewriteRule ^file-to-block.php$ - [F]


The above should be placed near the top of your .htaccess file.

Note, however, that if you include another .htaccess file in a subdirectory, that also uses mod_rewrite, then this directive could be overridden.



However, it would be preferable to block (403) these files with mod_authz_host (Apache 2.2) or mod_authz_core (Apache 2.4). For Apache 2.2 see Simon's answer.

On Apache 2.4, using mod_authz_core:

<Files "file-to-block.php">
Require all denied
</Files>




Alternatively, to send a 404 Not Found instead of a 403 Forbidden, then you can modify the above mod_rewrite directive:

RewriteRule ^file-to-block.php$ - [R=404,L]

Vote Up Vote Down