PHP/Apache Deny folder access to user but not to script

Question

So I have this php web app, and one of my folder contains some files that can be downloaded.

I have a download script that modifies the headers, in order to always o

Answer 1

Deny from all

in the .htaccess or move the files above document root

Answer 2

You can make a .htaccess file and enter Options -Indexes this will disable listing of the files in the directory.

If you also need the traffic to originate from your site you will need to make a file say... index.php with code that checks $_SERVER['HTTP_REFERER'] to see if the traffic originates from your site.

EDIT

Oh I forgot you can actually fix it all in the .htaccess:

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://your-host.com/.*$ [NC]
RewriteRule ^.* /403-page [L,R]

This will do all the work of the script I suggested, so you won't need it anymore.

Answer 3

Yes, this is correct. .access files block access to the users, but has no influence on local serverscripts.

Answer 4

Move the folder out of the webserver's root directory so that apache will not server files from that directory at all. You can still include files from the folder if it is readable by the apache/http user, but your site users won't be able to access it from any url.