CODEWITHSUNDEEP
phpsecurityapache.htaccessfile
oni-kun
oni-kun

Reputation: 1825

.htaccess deny access to specific files? more than one

I am able to disable access to a file with .htaccess, but I don't know how to disallow multiple files to be viewed (directly, not from includes)

They are .php files so I can't disable a file type.

<FILES ... ? 

</FILES>

For example "home.php, file.php, test.php" how do I disallow access to all three files with that tag or similar?

Upvotes: 22

Views: 23165

Answers (4)

Ruvee
Ruvee

Reputation: 9097

Solution for 2023

One-liner for detecting multiple files and multiple file extensions at the same time you could use the following patterns:

(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|html?)

Note:

The first set of parentheses up to "\.", is the file names/patterns and second set of parentheses after "\.", would determine your file extensions. Feel free to add/remove file(s) and file extension(s) to/from the example I provided you with, to suit your needs!

For example:

Matching multiple files with different file extensions and returning "Forbidden" to the user:

<FilesMatch "(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|html?)">
      Require all denied
</FilesMatch>

Matching multiple files with different file extensions and returning "404" to the user:

<FilesMatch "(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|html?)">
      Redirect 404
</FilesMatch>

Upvotes: 2

RafaSashi
RafaSashi

Reputation: 17205

since apache 2.4 

<FilesMatch "\.htaccess|config\.php">

    Require all denied

</FilesMatch>

instead of 

<FilesMatch "\.htaccess|config\.php">

    Order allow,deny 
    Deny from all 

</FilesMatch>

Upvotes: 6

Residuum
Residuum

Reputation: 12064

If you want to exclude files based on regular expressions, you could use FilesMatch instead of Files, e.g.:

<FilesMatch ^((home|test|file)\.php$|mysecretfolder|asecretpicture\.jpe?g)$>
...
</FilesMatch>

Upvotes: 27

Select0r
Select0r

Reputation: 12628

Looks like you have to exclude those files one by one:

<files home.php>
Deny/Allow/Whatever
</files>
<files file.php>
...

You can use *.gif in <files> or something*, but as home.php, file.php and test.php can't really be grouped with a "*", this is probably the only way to go.

Upvotes: 11

Related Questions