My site has several directories :
phpfiles
scripts
images

I want to allow access to these only from my WEB site.

I should be able to do this by adding a .htaccess file to each directory, This is what I added

Options -Indexes
order deny,allow
deny from all
allow from https://kidsbooks.gq

Using this stops everything accessing the files, even from my web site.

The URL is serviced through CloudFlare so I have tired using the original webhost address supplied by webhost of http://kids-books.000webhostapp.com/, I have even tried to use the ip address of both URL’s.

Can somebody tell me what I have wrong please.

Thanks

Garry

Good day, sir!

I want to allow access to these only from my WEB site.

You want to list the files in browser or do you want to prevent them from being listed?

Hi Teodor

The .htaccess stops the directories being listed and this works fine.
But if I know the names of the php files I can enter them into a browser and run the file.

E.g. I have a file deleteUserAccount.php, this is called from my javascript using ajax, but I can also run it by simply calling it as a URL in any WEB browser :

https://kidsbooks.gq](https://kidsbooks.gq/phpfiles/deleteUserAccount.php?userid=1234

So I want to restrict access to the directories to only allow calls that come from my WEB application and stop calls from browsers.

I thought I could do this using the ‘allow from https:kidsbooks.gq’ entry, but that stops all access.

Thanks for helping

Garry

As long as your files are located in /public_html they are all accessible through the direct path and there is no way we can overcome that.

Two fixes are coming in my mind:

1. You could move your core PHP files to the root path of your site (/) and include them in your public PHP files.
2. You could generate a unique key for each request which is coming from your web application and drop all requests which do not meet the key criteria.

I’m currently implementing idea 2, but that is taking longer than I expected.

I’ll also have a look at idea , the more security the better, I’ve already had somebody hack my site and nobody is using it yet

Thanks for helping.

This topic was automatically closed after 5 days. New replies are no longer allowed.