In my project I have a folder called library. the folder contains essential scripts that other php files call from so I am trying to secure this folder so that no body would be able to access the directory from the url.

But I dont know how to do this. The project was built from scratch I did not use any mvc framework.

So I am left to secure myself.

Thanks for reading.

If you are using a Linux server, you can set the access to the folder to 400 to limit it to reading by the system.

Disable Indexing is also a good step if you're running Apache. This shall throw out a 403 if anyone attempts to access folders.

tans alot. How do I disable indexing on apache

You need to edit your host files, in Apache2 it is normally (although not always) found in your sites-enabled folder.

apache2 > sites-enabled > 000-default

Edit this file, and where it says:

<Directory /var/www/>
       Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

Change this to:

<Directory /var/www/>
       Options FollowSymLinks MultiViews
        AllowOverride None
        Order allow,deny
        allow from all

add this in your htaccess file: Options -Indexes

would i place the .htaccess in that directory that I want to protect

Disabling Indexing alone does not disable access to the files (assuming they can guess the filenames).

yes, add the htaccess file to root directory of your project

yes, that was for disabling indexing, yet still can access to files if they can guess the names...

also here is if you want to disable direct execution of php files

RewriteCond %{THE_REQUEST} (.).php
RewriteRule ^(.
).php - [F,L]

Since it's a library directory another solution is to .htaccess:

Order allow,deny
deny from all

this will return 403 Forbidden to any direct web access, but the files will still be available for include(), require() and require_once().

Member Avatar

One non-Apache way to secure files from direct access would be to apply a CONSTANT in the main file, which all included files must check for in order to run, e.g.


define("INCLUDED_ALLOWED", true);


    //trigger a 404?

Granted, this will not protect files other than included php files, but are you looking for other types of files to protect? It's not as elegant as an apache solution though IMO.