deny direct access to a folder and file by htaccess

Here is the scenario:

• There is a index.php file in root folder
• some files are included in index.php which are in the includes folder.
• 1 other file (submit.php) is in the root folder for form submit action.

I want to restrict direct user access to the files in includes folder by htaccess. also for submit.php. But include will work for index.php file. Like, if user types www.domain.com/includes/somepage.php, it will restrict it (may be redirect to a error page).

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.

This is pure mod_rewrite based solution:

RewriteRule ^(includes/|submit\.php) - [F,L,NC]

This will show forbidden error to use if URI contains either /includes/ or /submit.php

It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:

<Files ~ "^.*">
  Deny from all
</Files>

<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
  Allow from all
</Files>

1 liner mod_alias based solution :

RedirectMatch 403 ^/folder/file.php$

This will show forbidden error for /folder/file.php

If I understand correctly you just want to deny access to the includes folder?

An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.

Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.

However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.

If this is true then you can't use anubhava's part II as this will cause your form to fail. What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:

RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php   [NC]
RewriteRule ^submit\.php$    -                                   [F]

And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.

This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.

Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:

Satisfy all
Order deny,allow
Deny from all

I ran into this when the upper directory defined basic authentication including the line:

Satisfy any

This was preventing my deny from all to take effect because the users were authenticated.

You can add the below command to .htaccess file

Deny from all
ErrorDocument 403 "nothing is here"

It will display the "nothing is here" message in case of the unauthorised access.

If you want to redirect by an error code to a certain page then you can define a command as follows:

ErrorDocument 404 "/errors/404.html"

It will redirect to the /errors/404.html and show the custom page not found screen.