Deny access to one specific folder in .htaccess

Question

I'm trying to deny users from accessing the site/includes folder by manipulating the URL.

I don't know if I have to deny everything and manually make individual exceptions to allow, if I can just deny this one folder, or if there's a rewrite function that can be used.

Specific example: I don't want to see the directory files by typing in localhost/site/includes into the URL.

just to disallow listing directories write `Options -Indexes` in .htaccess file located in root folder — , Oct 01 '13 at 14:15

score 272 · Accepted Answer · edited May 12 '15 at 23:46

272

Create site/includes/.htaccess file and add this line:

Deny from all

edited May 12 '15 at 23:46

Mike Grace

16,636
8
59
79

answered Oct 01 '13 at 14:13

anubhava

761,203
64
569
643

7

Hey!! anubhava I've used this to disable direct access to my api files inside /api folder but now all webservice call sending 403 forbidden status .. I just want to block access when someone access it from browser. – Ravi Soni Jul 31 '14 at 09:25
13

For a webserver there is no real difference between requests between browser and non-browser. – anubhava Jul 31 '14 at 09:34
I use of nginx and I can not use of `.htaccess`. so, how can I do that without `.htaccess` ? thanks – Shafizadeh Jul 13 '15 at 17:31
How can I access the files of folder/sub folder if I deny from all? The files into folder/sub folder gives 404 error. – Vikas Khunteta Dec 11 '15 at 20:00
2

`Deny from all` won't give 404 but 403. You can still access file/folders using PHP/Perl etc but not using a web request. You can open a new question if that didn't answer your query. – anubhava Dec 11 '15 at 22:11
You didn't even show where to insert the directive and how the file should look like. – TheRealChx101 Oct 01 '18 at 20:36
All the necessary information is already there in answer. As per OP it was needed in `site/includes/.htaccess` – anubhava Oct 01 '18 at 20:43
1

Note that if you want to use this, apache should allow it. In the site config ``, you would need to have at least `AllowOverride Limit`. – PhoneixS Mar 30 '21 at 11:52

score 90 · Answer 2 · answered Jun 28 '16 at 06:24

90

You can also deny access to a folder using RedirectMatch

Add the following line to htaccess

RedirectMatch 403 ^/folder/?$

This will return a 403 forbidden error for the folder ie : http://example.com/folder/ but it doest block access to files and folders inside that folder, if you want to block everything inside the folder then just change the regex pattern to ^/folder/.*$ .

Another option is mod-rewrite If url-rewrting-module is enabled you can use something like the following in root/.htaccss :

RewriteEngine on

RewriteRule ^folder/?$ - [F,L]

This will internally map a request for the folder to forbidden error page.

answered Jun 28 '16 at 06:24

Amit Verma

40,709
21
93
115

1

With Apache 2.22 the best solution is the first one: RedirectMatch..... – John Oct 01 '16 at 11:36
8

Much prefer this answer, rather than creating multiple `.htaccess` files in every directory that I need to deny access for. – DanMad Jan 12 '18 at 00:42
1

this is a much better answer than the one marked as correct, seriously – user151496 Feb 24 '21 at 01:01
@user151496 That's debatable. The "accepted" answer is arguably more secure since the mod_alias (or mod_rewrite) directives used here in the root are more easily overridden (even accidentally). – MrWhite Aug 23 '23 at 00:23

score 49 · Answer 3 · answered Oct 01 '13 at 14:16

49

In an .htaccess file you need to use

Deny from  all

Put this in site/includes/.htaccess to make it specific to the includes directory

If you just wish to disallow a listing of directory files you can use

Options -Indexes

answered Oct 01 '13 at 14:16

Andy

49,085
60
166
233

5

Is this recursive? – Abdillah May 20 '20 at 06:25
@Abdillah Yes it is – Oliver M Grech Jun 02 '20 at 22:21
i get an "internal server error 500" if i just add `Options -Indexes` to the bottom of the page? @OliverMGrech – oldboy Jan 23 '21 at 12:45
Check if anything else in your htaccess is causing the server error. Apache's error log file might tell you what's missing or what's wrong – Oliver M Grech Feb 15 '21 at 21:30

score 24 · Answer 4 · answered Dec 22 '15 at 11:18

We will set the directory to be very secure, denying access for all file types. Below is the code you want to insert into the .htaccess file.

Order Allow,Deny 
Deny from all

Since we have now set the security, we now want to allow access to our desired file types. To do that, add the code below to the .htaccess file under the security code you just inserted.

<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
   Allow from all
</FilesMatch>

your final .htaccess file will look like

Order Allow,Deny 
Deny from all 

<FilesMatch "\.(jpg|gif|png|php)$">
Order Deny,Allow
   Allow from all
</FilesMatch>

Source from Allow access to specific file types in a protected directory

This answer saved me a lot of headache. Works like a charm. – I try so hard but I cry harder Jul 03 '20 at 16:29 — I try so hard but I cry harder, Jul 03 '20 at 16:29

score 9 · Answer 5 · answered Oct 01 '13 at 14:20

9

You can create a .htaccess file for the folder, wich should have denied access with

Deny from  all

or you can redirect to a custom 404 page

Redirect /includes/ 404.html

answered Oct 01 '13 at 14:20

Marvin

371
1
7

score 9 · Answer 6 · answered Aug 13 '18 at 15:26

Just put .htaccess into the folder you want to restrict

## no access to this folder

# Apache 2.4
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

# Apache 2.2
<IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
</IfModule>

Source: MantisBT sources.

score 6 · Answer 7 · answered Oct 25 '21 at 00:30

6

On Apache 2.4 you can use an Apache <If> expression in the root .htaccess file to block direct access to this specific subdirectory and everything within it.

For example:

<If "%{REQUEST_URI} =~ m#^/site/includes($|/)#">
    Require all denied
</If>

answered Oct 25 '21 at 00:30

MrWhite

43,179
8
60
84

this is what i have been looking – ManojKiran A Nov 29 '21 at 14:34

score 4 · Answer 8 · answered Mar 12 '14 at 16:49

Creating index.php, index.html, index.htm is not secure. Becuse, anyone can get access on your files within specified directory by guessing files name. E.g.: http://yoursite.com/includes/file.dat So, recommended method is creating a .htaccess file to deny all visitors ;). Have fun !!

score 4 · Answer 9 · answered Jul 31 '14 at 09:28

4

You can also put this IndexIgnore * at your root .htaccess file to disable file listing of all of your website directories including sub-dir

answered Jul 31 '14 at 09:28

Ravi Soni

2,210
3
31
53

9

This does not disable file listing, but tells the autoindexer to ignore all files when constructing the index. To disable file listing, you'd use `Options -Indexes`. – Val Kornea Apr 10 '16 at 08:44

RatajS · Answer 10 · 2017-12-20T21:07:49.750

2

You can do this dynamically that way:

mkdir($dirname);
@touch($dirname . "/.htaccess");
  $f = fopen($dirname . "/.htaccess", "w");
  fwrite($f, "deny from all");
fclose($f);

edited Dec 20 '17 at 21:07

answered Nov 29 '17 at 14:10

RatajS

1,403
1
14
22

score 0 · Answer 11 · answered Nov 12 '19 at 06:27

0

For some reasons which I did not understand, creating folder/.htaccess and adding Deny from All failed to work for me. I don't know why, it seemed simple but didn't work, adding RedirectMatch 403 ^/folder/.*$ to the root htaccess worked instead.

answered Nov 12 '19 at 06:27

Chimdi

303
2
7

Apache server must be configured to support local .htaccess files in subdirectories. If it is not, creating local files will have no effect, obviously. – dev101 Jul 11 '21 at 19:35

Deny access to one specific folder in .htaccess

11 Answers11

Linked