Skip to main content

.htaccess Directory Access

Directory Access

This directive will prevent access to directories that don't have an index file present in whatever format the server is configured to use, like index.html, or index.php.

<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

Block access to hidden files and directories

In Linux and Macintosh systems, files that begin with a dot are hidden from view but not from access if one knows their name and location. These types of files usually contain user preferences or the stored state of a utility, and can include rather private places like, for example, the .git or .svn directories.

The .well-known/ directory represents the standard (RFC 5785) path prefix for "well-known locations" (e.g.: /.well-known/manifest.json, /.well-known/keybase.txt), and therefore, access to its visible content should not be blocked.

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
</IfModule>

Block access to files with sensitive information

Block access to backup and source files that may be left by some text editors and can pose a security risk when anyone has access to them.

You can use the <FilesMatch> regular expression (see example below) to protect any files that might end up on your production server and can expose sensitive information about your website. These files may include: configuration files or files that contain metadata about the project among others.

<IfModule mod_authz_core.c>
  <FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$">
    Require all denied
  </FilesMatch>
</IfModule>

Table of Contents