0

I have searched just about every key word about it that came to mind, and I know there have been similar questions but this is not a duplicate because they do not work for me (not the exact setup I need or just not functioning).

I'm running XAMPP on my Windows 10 PC (Apache and mysql), haven't yet configered much in the files but have a genreal understanding of whats going on.

The thing I want is either an allow/deny block in the .htaccess file located in the htdocs folder (viewable root) or what'd be better, a domain rewrite block that:

  • Denies all direct access attempts to files located in the viewable root

Exempt:

  • All files named index.php in whatevery (sub)folder they may be
  • Or if the access attempt is from the server itself (the issue with most other solutions is that .css|.js|.png and other files my .php files need would get blocked out and even includes of other *.php files would be blocked)

I have tried many solutions but all of them failed at the points I listed above! If there are any working ones I appreciate your help, if not let me know.

-RmOL

RememberOfLife
  • 106
  • 1
  • 9
  • CSS, Javascript, and image files are requested from the client and not from the server. – Olaf Dietsche Feb 04 '17 at 18:38
  • So by definition they can not be protected against direct access? + If I were to load CSS and JS via include .. (I know they are visible then) but it would prevent direct access right? – RememberOfLife Feb 04 '17 at 19:45
  • You can protect any file, if you wish, but then it is impossible for a client to load it. If you include it literally, this would work of course. – Olaf Dietsche Feb 04 '17 at 20:52
  • The notion of protecting CSS and JS files should be forgotten, period. There is nothing you can do or anyone with a website to prevent seeing the code. The client/browser has to read it to display the page. Client side code is open to everyone just have to accept it. Even if you don't even need to view the files directly, the browser can show you the code with the Browser Dev tools built into almost every browser. – Panama Jack Feb 04 '17 at 23:41
  • Now denying all other files except index.php is not hard at all. You can do so that the server can access the files. – Panama Jack Feb 04 '17 at 23:44
  • I am well aware that there is no way of protecting that, but I like to keep the honest users honest. And since it isn't that much of an effort considering the include thingy, why not.. – RememberOfLife Feb 05 '17 at 11:56

1 Answers1

0

Any MVC framework .htaccess file can solve this problem. Try this in your web root

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

don't forget to enable mod_rewrite and restart apache :) if you look for something else try

defined('BASEPATH') OR exit('No direct script access allowed');

at the begininng of every file you want to protect. The 2nd solution is taken from CodeIgniter

Nikola Bodrozic
  • 106
  • 3