How to Prevent Direct PHP File Access in Apache Except for Index.php?

Denying Direct PHP File Access Except for Index.php

Protecting your PHP files from unauthorized direct access is crucial for the security of your web application. This article discusses a solution to deny access to all .php files except for index.php, ensuring that users can only access other PHP files through PHP include.

Apache Configuration

To implement this restriction, you can follow these steps:

1. Ensure that mod_access is enabled in your Apache configuration.
2. Add the following code to your .htaccess file:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

<Files /index.php>
    Order Allow,Deny
    Allow from all
</Files>

Explanation

• The first directive denies access to all files from the web.
• The exclusion in the section explicitly allows access to index.php.
• The order of the directives is critical to ensure that index.php is accessible while other PHP files are denied.

Additional Considerations

• If you need to allow access to specific file types, you can use directives within the section. For example, you can allow access to CSS and JS files:

<FilesMatch ".*\.(css|js)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

• Avoid using or directives for access control within .htaccess files.

Update for Apache 2.4

In Apache 2.4, the access control syntax has changed. Replace the "Deny from all" directive with "Require all denied" to achieve the same effect.

The above is the detailed content of How to Prevent Direct PHP File Access in Apache Except for Index.php?. For more information, please follow other related articles on the PHP Chinese website!