HTAccess Protecting Files

Question

I want to have an htaccess that protects files from being directly accessed. So here's my file structure:

I already protected my folders with:

Options -Indexes

But someone can still type

www.domain.com/Folder/CSS/Styles.css

or

www.domain.com/Folder/Insert.php

And it would show them everything. How exactly do I protect these files with htaccess? I don't want anyone to be able to view them but I want the site to run correctly. Last time i tried

deny from all

And the entire website failed to load because all the files/folders were completely locked, not even the own website could access its things. I just don't want people typing in the file path into the url and view them.

Answer 1

What you want is not possible, as a web browser will need to be able to get the files. You can try something like the following, within the protected directories. Just know that it does not take a genius to use Firebug, or any other development tool, to easily view the output of those requests - spoofing headers is also very easy to do...

SetEnvIfNoCase Referer "www.example.com" mysite

<Limit GET POST HEAD>
 Order Deny,Allow
 Deny from all
 Allow from env=mysite
</Limit>

In the case that you are not familiar with the syntax, one can also use mod_rewrite for the same purpose with a [F] to forbid. (written for readability)

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{REQUEST_URI} ^/Folder/?(.*)$ [NC]
 RewriteCond %{HTTP_REFERER} !^http://www\.example\.com/ [NC]
 RewriteCond %{HTTP_REFERER} !^https://www\.example\.com/ [NC]
 RewriteRule ^.*$ - [F]
</IfModule>

Please know that if you have a flash/silverlight/java application then you will need to ensure that it passes the proper referrer request header before applying a solution like this.