.htaccess to deny viewing of directory from all but local host

Question

I seem to have run into a situation where .htaccess files were able to successfully shut down a website of mine by denying server side PHP access to everything but the loading widget. Is there a way to prevent users from sniffing around the directories of the site (ie finding includes, images directory etc) while allowing scripts on the server to still access them properly? If so, how would I go about doing that?

I have attempted following another stackoverflow question

order deny,allow
deny from all
allow from 127.0.0.1

but it also produces the same issue. For example, if the .htaccess file in /img/ contains those lines (and only those lines), then the images on pages will not load.

Answer 1

Since you have limited options with your shared hosting, the first thing to point out is that File system permissions are very important. If the user was able to exploit your site and write or change a file on the filesystem inside your webroot, that is very bad. File system permissions should not allow the web process to write files in any directory other than one(s) you specifically have set up for that purpose.

Given that caveat, here is a solution that handles individual directories like your /img directory.

Create this .htaccess file in the /img directory:

order allow,deny
<Files ~ "\.(jpg|jpeg|png|gif|bmp)$">
   allow from all
</Files>

This will allow normal functioning for access to image files and disallow access to anything else.

Hopefully you can also see the pattern used here, where you are whitelisting the extensions of files that you will allow. You can use this same idea for any other directories you have if you want.