How to Prevent Access to Files & Directories Using .htaccess


prevent access file directories

By default, Apache allows access to all files & directories in the Document Root folder. They can not only be accessed but also listed. This might not be safe and can expose your website to various attacks. Here’s how to prevent access to files & directories using .htaccess. You can use this solution to selectively block access to sensitive information on your website.

 

How to Prevent Access to Files & Directories Using .htaccess

Here are the steps to prevent access to files & directories using .htaccess.

Before you proceed, please ensure that you have enabled .htaccess file in your Apache server. Here’s how to do it:

Place your .htaccess file in the root document folder of your website (/var/www/html) and add the following rules to it, depending on your use case.

 

If you don’t have access to .htaccess, you can place the following rules directly in Apache server config file. You will find it at one of the following locations, depending on your Linux version:

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf

 

1. Deny Access to .htaccess file

If you want to deny access to .htaccess file itself, add the following code to it.


# Deny access to .htaccess
<Files .htaccess>
Order allow, deny
Deny from all
</Files>

 

2. Disable Directory Listing

Add the following line to prevent search engine bots from accessing directories on your website. This will return a “403:Access forbidden” error when it tries to access a directory, instead of a proper URL.


# Disable directory browsing
Options -Indexes

If you don’t want to display “403:Access Forbidden” message, add the following line


# Hide the contents of directories
IndexIgnore *

 

If you want to hide only specific file types, then add the following


# Hide files of type .png, .zip, .jpg, .gif and .doc from listing
IndexIgnore *.png *.zip *.jpg *.gif *.doc

 

3. Prevent Access to Specific file types

The above code only prevents directory listing but allows access. If you want to prevent access too, then add the following code.

 

To remove unauthorized access to specific file types


# Deny access to files with extensions .ini, .psd, .log, .sh
<FilesMatch "\.(ini|psd|log|sh)$">
Order allow, deny
Deny from all

</FilesMatch>

 

Deny access to all hidden files, that is, starting with dot (.) like .htaccess, .htpasswd, etc


# Deny access to filenames starting with dot(.)
<FilesMatch "^\.">
Order allow, deny
Deny from all
</FilesMatch>

 

To password protect files & directories. In this case, you need to store username & password in .htpasswd file (here are the steps)


# Password protect files
<FilesMatch "^(execute|index|myfile|anotherfile)*$">
AuthType Basic
AuthName "Mypassword"
AuthUserFile <Full Server Path to .htpasswd file>/.htpasswd
Require valid-user
</FilesMatch>

 

That’s it! Remember to restart Apache web server to apply changes.


$ sudo service apache2 restart

 

 

You can also place .htaccess file in a sub directory to restrict files & sub directories in it.

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!