Deny access to some subdirectories via .htaccess

Question

This is a common question, but I'm a bit stupid so other's methods didn't work out for me. I want to deny access to following subdirectories (note: main site is located like this http://localhost/en/ and every subdir is staring with /en/ where .htaccess file is located): reg_auth_rec_del/ajax/ (and all it's files), media/parts/ , media/scripts/ , media/translations/ . But the thing is that all these files are used on all pages (for example media/parts/footer.php is used on all pages and can be viewable on pages like index.php and others. So I want to prevent user from viewing all these files directly.

I mean so I don't want them to be directly viewable.

Now, I'm just using this way, but I think that it's not a good way to handle things:

$admins = array("192.168.0.100", "192.168.0.101", "192.168.0.102");
$ip = $_SERVER['REMOTE_ADDR'];

if(in_array($ip ,$admins, true)){
    $_SESSION['PERMISSIONS'] = "ADMIN";
} else {
    $_SESSION['PERMISSIONS'] = "USER";
}

//So if $_SESSION['PERMISSIONS'] == "USER", I can decide if I'd ike to open access to some files, and
//if the file can be viewable by user

Answer 1

The best way is as @JasonJoslin suggested in comments, move the PHP files outside your document root. You can still include them in other PHP files.

For Javascript files, style sheets, and images, there is no way to deny access, because these files are included in the HTML responses, and the clients must be able to load them somehow.

---

If you want to keep files inside the document root and forbid access anyway, you can either use the old style Order , and Allow / Deny , or apply the new directives as described in Access control . Put an .htaccess file in subdirectories reg_auth_rec_del/ajax , etc.

Require all denied

This should deny access to the directories and all their subdirectories as well.