Anyway protecting your site from external site scandir

Question

Just came across to a website that lists all hidden files. I utilized Facebooks directory called: \"hashtag/\" and the results showed a whole bunch of files from http://www.face

Answer 1

The main option is Indexes you can turn them off in your .htaccess with

Options -Indexes

The second option is blocking Deny

Order Deny,Allow
Deny from All

Say you have a folder called inc that holds some files that you don't want accessible via a url but you want your other PHP scripts to be able to include them you toss this rule in an .htaccess file in your inc folder.

Here is a link to a great resource on .htaccess rules https://github.com/phanan/htaccess

Answer 2

One common approach is to put files that are not directly accessed below the web root, so they are inaccessible from the web.

For example, if you have your web root at var/www/html, place your source code outside html and it will be impossible to load from the internet. This, however, requires you to use some sort of loading/requiring the files in your framework, but that is pretty common these days. See PSR-4: Autoloading.

The tool you linked to does not have a "magic" way of finding files, as blocking/hiding files with Apache is absolute, see this answer for more .htaccess details. The tool simply tries a series of words, and common file names, and checks for a valid 200 response. Unless you move your files outside the web root, this would be impossible to defend against.

As you are saying, this is possible deny access to directories and files with .htaccess, and also turn off file listing, however you should note that .htaccess settings are inherited from directory to directory, which means that if you block all access at the root level, this will be applied to every single file and directory it contains.