How to Restrict Direct Access to Non-Index.php Files on Apache Servers?

Controlling Direct Access to Non-Index.php Files

Background:

To enhance security, it may be desirable to prevent direct access to all PHP files within a folder, except for the index.php file. This protects sensitive data from direct access and ensures that specific pages are accessed only through authorized channels.

Solution:

Apache web servers provide a mechanism to control access to files based on their extension. By leveraging the .htaccess file, it is possible to deny direct access to all PHP files except index.php.

Steps:

1. Verify Mod_access: Ensure that mod_access is enabled in the Apache configuration.
2. Create .htaccess File: Create a .htaccess file in the directory where the .php files reside.
3. Add Access Control: Add the following code to the .htaccess file:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

<Files /index.php>
    Order Allow,Deny
    Allow from all
</Files>

Explanation:

The first directive denies access to any files except index.php from all IP addresses. The second directive specifically allows access to index.php from all IP addresses.

Additional Considerations:

• To allow access to other file types, use the directive. For example, to allow access to CSS and JS files, add the following code:

<FilesMatch ".*\.(css|js)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

• Avoid using the or directives in .htaccess files for Apache 2.4 or later.

Update for Apache 2.4:

In Apache 2.4, the access control syntax has changed. The correct syntax for this solution is:

Order deny,allow
Deny from all
Require all granted

The above is the detailed content of How to Restrict Direct Access to Non-Index.php Files on Apache Servers?. For more information, please follow other related articles on the PHP Chinese website!