Block Access to Include Files Using .htaccess

By  on  

When I build websites for clients and myself, I use numerous include files to make my website easy to maintain. These include files may:

  • be composed of pure HTML; no server-side programming involved
  • be PHP class files; used throughout the website
  • composed of both HTML and PHP
  • PHP code to produce a specific action; many times, AJAX scripts

Obviously, if a person were to get lucky and guess the path and file name of my include scripts, problems could result, especially if an AJAX script is not secured (but I wouldn't do that -- nor would you, right?). For example, take the following poorly coded bit of PHP that would get run when an AJAX call was made:

//inside file:   includes/ajax/delete_id.inc
$query = 'DELETE FROM my_table WHERE id = '.$_GET['id'];
mysql_query($query);

Imagine if the user changed the 'id' in the querystring to "' or 1" -- all data would be lost!

Even if my scripts are secure (meaning I use proper validation to make sure they've been called correctly), a user/hacker has no business calling an include file. Using .htaccess, we can prevent any attempt by a user to reach an include file:

<Files ~ "\.inc$">
	Order allow,deny
	Deny from all
</Files>

The above code tells the server to disallow any requests, by the user, for any file ending in ".inc". You can easily modify the above .htaccess for your own naming convention and folder structure.

Just another .htaccess tip to make your website more secure!

Recent Features

  • By
    I&#8217;m an Impostor

    This is the hardest thing I've ever had to write, much less admit to myself.  I've written resignation letters from jobs I've loved, I've ended relationships, I've failed at a host of tasks, and let myself down in my life.  All of those feelings were very...

  • By
    An Interview with Eric Meyer

    Your early CSS books were instrumental in pushing my love for front end technologies. What was it about CSS that you fell in love with and drove you to write about it? At first blush, it was the simplicity of it as compared to the table-and-spacer...

Incredible Demos

  • By
    Create Custom Events in MooTools 1.2

    Javascript has a number of native events like "mouseover," "mouseout", "click", and so on. What if you want to create your own events though? Creating events using MooTools is as easy as it gets. The MooTools JavaScript What's great about creating custom events in MooTools is...

  • By
    Generate Dojo GFX Drawings from SVG Files

    One of the most awesome parts of the Dojo / Dijit / DojoX family is the amazing GFX library.  GFX lives within the dojox.gfx namespace and provides the foundation of Dojo's charting, drawing, and sketch libraries.  GFX allows you to create vector graphics (SVG, VML...

Discussion

  1. Nice one, I’m going to add it the the ultimate htaccess guide at http://www.askapache.com/apache/apache-htaccess.html

  2. where in the .htaccess file do you place that code (the second block of code in your entry)?

  3. @Charles: It shouldn’t matter where in your .htaccess file you place the above snippet.

  4. nice work.
    Are you able to add multiple filenames/file paths to the tag?

  5. @pfwd: I believe if you’re clever with regular expressions you should be able to.

  6. This is very cool. A similar trick I use a lot, and I believe WordPress uses as well, is to check to see if a php file is being accessed directly.

    <?php
    //this document is called file.php
    if ('file.php' == basename($_SERVER['SCRIPT_FILENAME']))
       die ('Do not access this page directly.');
    ?>
    

    (Please convert my _ to _ )

  7. Specs

    I used this, but now my AJAX calls to .inc files (sends GET variables and then receives output from .inc file) aren’t working anymore…

    new Request.HTML({
    url: ‘http://www.blah.com/includes/consultant_ajax.inc?id=’+id+”,

    Isn’t there a way to define a “Don’t deny from server call” or something (if this makes sense)?

    I’m assuming the “deny from all” makes it fail even when a I make an AJAX call to the .inc file.

    Any thoughts?

  8. Specs

    I used this, but now my AJAX calls to .inc files (sends GET variables and then receives output from .inc file) aren’t working anymore…

    new Request.HTML({url: ‘http://www.blah.com/includes/consultant_ajax.inc?id=’+id+”,…

    Isn’t there a way to define a “Don’t deny from server call” or something (if this makes sense)?

    I’m assuming the “deny from all” makes it fail even when a I make an AJAX call to the .inc file.

    Any thoughts?

  9. Wow!! That is really a cool trick… to block include files….

    Thanks.. :)

  10. Nicklas Smed

    Maybe, this post could use an update.

    @Specs: I don’t know the solution, but to deny access from all but the server, wouldn’t solve your problem. As javascript files, are used by the user client, and not the server.

  11. Great tips on use htaccess very efficiently. Thanks

  12. Xavier

    Well, the trick is useful, but the example given couldn’t be more poorly chosen: you want to deny access to you internal scripts / files, but certainly not to your ajax response functions that need to be called by (external) client (i.e. browsers)…

  13. phplearner

    Can some one tell me how to block the PHP files inside a folder named “includes”.

    Please Advice.

  14. For AJAX files you can check for a special header. http://www.web-design-talk.co.uk/197/detect-ajax-requests-using-the-x-requested-with-header-and-xmlhttprequest/

    Although renaming your files and blocking direct access to that extension is also good :)

  15. AnantaSrinivas

    How restrict access to .htaccess file it self ?

    Thanks,
    Ananta Srinivas

  16. I often use this code to prevent loading files directly in WordPress:

    defined( 'ABSPATH' ) || exit;

    But that makes the code ugly! I think .htaccess is a better way to do that and hope WordPress can generate something similar in the wp-content folder.

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!