0

I want my application to allow pages to be accessed / referenced only from the application pages rather than from external addresses. with the exception of the main(index.php) page that will serve as access to the application. So for example if i build an html file in my desktop with a link or form to the destination of the application pages i want it to redirect to index.php.
How can i do this? I tried to add this rows .htaccess 

Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
<Files /index.php>
    Order Allow,Deny
    Allow from all
</Files>
<FilesMatch ".*\.(css|js)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

But this didn't work because the desktop file was still in my server . Edit 2: I edited the .htaccess file to this and now it works

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost [NC] 
RewriteCond %{HTTP_REFERER} !^http://(www\.)?localhost.*$ [NC] 
RewriteCond $1 !^(index\.php)
RewriteRule ^(.*)$ http://localhost/website/index.php [R,L]
Pavllo
  • 106
  • 6
  • You have added `.htaccess` to your question. That is the solution. All you now need to do is a quick search with google and learn how to use it – RiggsFolly Jan 27 '18 at 21:26
  • Yes you were right the .htacces was the way .I added a RewriteRule and it works perfect – Pavllo Jan 27 '18 at 22:33
  • Possible duplicate of [(htaccess) How to prevent a file from DIRECT URL ACCESS?](https://stackoverflow.com/questions/10236717/htaccess-how-to-prevent-a-file-from-direct-url-access) – Pavllo Jan 27 '18 at 22:38

1 Answers1

1

If you mean that you don't want your pages like config.php, x.php, etc. to be accessed directly through browser then you can simply define a constant on index.php page and check its existence on any other PHP file.

In case you want your forms to submitted only through index.php, then the only solution is to use a changeable CSRF token, generated by index.php and valid only for one time usage. That way you'll make sure that no-one can just clone the form inputs and spam you with requests from another server.

Still it's very difficult to totally prevent anyone from sending you requests from outside your server. A go-around techniques can be used to bypass token validation. Attackers can simply send a CURL request to fetch a new token then placing it automatically into the form and sending the request from outside the server.

Mostafa Kasem
  • 400
  • 4
  • 12
  • Thanks for your answer. Yes i think this would work but i am totally new to php and this was just for some school project i just edited the .htaccess file to make this work – Pavllo Jan 27 '18 at 22:35