htaccess securing files from being accessed by users

So, I'm sure this question gets asked quite a lot around here, but after a good 20 mins searching, I haven't been able to find any questions that produce the correct result.

I have files, such as /index.php and /dashboard.php which use resource files such as /framework/assets/stylesheets/index.css etc. What I want to do, is block off the access to any files in the /framework/ directory, but still allow usage of them from index.php and the other respective files. How would I configure my .htaccess file to allow me to do this?

I understand that this may not be possible, but is there any way that the directory /framework/ which includes some PHP files to be hidden from users, but still allowed to be accessed via other PHP scripts using include 'file.php'?

Any help would be very appreciated. Thanks.


Since you want to have a css file only available when the specific php script is run you could use a include directive in php and embed this into your other html.

Something like this:


php-files aren't restricted through htaccess and you include it server side and offer only the stuff you want to the client.

You should't block access to CSS and JavaScript files. If you do so, it means that your site's design is going to break. For include files, try below rules. Place your .htaccess file with below rules in your includes directory you want to forbid access to. These rules allow only $_POST requests on files contained in the directory as well as you can include one file to another restricting the direct access to that include file.

<LimitExcept POST>
order deny,allow
deny from all

As stated in the comments to the original question by Magnus Eriksson, to achieve the effect that I wanted to with CSS files, JS files, and other resource files is something that cannot be done, as these files are directly fetched by the HTML, and therefore use http requests.

The PHP files however are able to be protected, by placing a .htaccess file in the /framework/ directory with the content of:

deny from all

To grant access to the resource's in /framework/assets/, All that needed to be done was to add another .htaccess file with allow from all written inside.

Simple answer to a simple question.

Documentation for further use:

Need Your Help

How to Start WEBrick Server in Rubymine Console from Ruby Script

ruby webrick rubymine

I have Ruby script that creates a proxy so that I can make HTTP request to a server from the command line using a session ID that the server expects.

is_base_of in a template parameter - class does not name a type

c++ templates c++11

Just wondering why I can't use is_base_of in a C++ template argument like the following: