Protecting Secret Data from compromise

Question

I am currently developing a PUBLIC and OPEN SOURCE software using PHP/MySQL. I have a couple of important SECRET TXT files in a folder. I use them in the software, but problem is that they are also readable by anyone who knows folder and file names:

 secret_folder \ my_data.txt

I need to hide them against everyone who might be trying to get secret data without permission. I found this way (keeping all secret folders under a unique folder):

 U3IPpe8J_2573HkBfR0iYteH8X \ secret_folder \ my_data.txt

Unique key will be changing for each website (remember that the software will be open source and public).

Is it good enough for security, or should I use HTACCESS as well? If yes, how can I use it; or do you have any better idea?

Answer 1

One way to help secure the files is to not have them as text files. Maybe put the data required in a structure in a php file. The server will interperet this code rather than serve it up as a txt file.

I have to concur with the other commenter: obscurity is not security.

Answer 2

For protection of individual files use .htaccess like this

<Files my_data.txt>
order deny,allow
deny from all
AuthType Basic
require valid-user
satisfy any
</Files> 

Answer 3

Remember, Security Through Obscurity Is Not Security. So no, it's not good enough.

Add a deny rule in .htaccess for the secret_folder and be done.

So, your .htaccess would include:

<Directory /secret_folder>
    order allow,deny
    deny from all
<Directory>

Even better still would be to move secret_folder above the web root (so it's not served at all).

/public_html/index.php
/secret_folder/my_data.txt

That way it's literally impossible for anyone to request my_data.txt through Apache (they could if they hacked PHP code, but not directly through the web server).