I have a folder www.mysite.com/page/panel/soascripts/ where there are 10 different PHP files.
I want to prevent access to the folder soascripts and the php files in it. Except X-Requested-With = XMLHttpRequest (for ajax). Is this possible with htaccess?
1 Answer
In the htaccess file in your soascripts folder:
RewriteEngine On
RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
RewriteRule \.php$ - [L,F]
So without the
X-Requested-With: XMLHttpRequest
request header, the response will be a 403 forbidden.
EDIT:
If you want to add the rules to the document root, you just need to include the path:
RewriteCond %{HTTP:X-Requested-With} !=XMLHttpRequest
RewriteCond %{HTTP:X-REQUESTED-WITH} !^(XMLHttpRequest)$
RewriteRule ^page/panel/soascripts/[^/.]+\.php$ - [L,F]
Make sure to add it before any type of routing rules (like stuff being sent to index.php).
2 Comments
Kallewallex
JonLin Thank you. @Quentin I don't have a lot of directories or files. I just want to prevent anyone from display-raping the php files and I don't know how else to archive this. hm, I've read the article.... will this also slow down my php mysql queries to my database in the soascripts folder?
X-Requested-Withheader is trivial if any attacker wants to do something nefarious with the data.