18

Its been a long time since I've needed to crack open an .htaccess file...

What is the simplest way to 40x prevent access to a specific file extension through out the entire site?

Improve this question

6 Answers 6

Reset to default
31 
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Loaded with some common extensions, add more as you need.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

13

If you really want a 404 (and not a 403), you can use mod_rewrite:

RewriteEngine on
RewriteRule \.ext$ - [R=404]
Improve this answer

7 Comments

sorry - 403 is what I should use. I edited the question to say 40x.
Note that RFC 2616 allows a 404 response when the access to a resource is forbidden (see section 10.4.4). So your original question was valid.
There is also Redirect 404, ref: Requests to .htaccess should return 404 instead of 403 and RedirectMatch 404, ref: Make .git directory web inaccessible - just clustering a bit here.
Doesn't work for me. RewriteEngine on RewriteRule \.lfpt$ - [R=404] displays the file. URL rewriting works elsewhere on the site.
@SteveAlmond what you wrote (\.lfpt$) matches everything that ends with .lfpt, if you have a file called lfpt it won't match but display it. If your file is called anythinghere.lfpt it is matched. \. is an escaped ..
|
5 
<FilesMatch "\.ext$">
    Deny from all
</FilesMatch>

See the Apache documentation on FilesMatch and Deny

EDIT: Artefacto makes a good point, this will return 403, not 404, if that's important for your purposes

Improve this answer

Comments

2

You can also deny access to file extensions using RedirectMatch directive :

RedirectMatch 403 ^/.+\.(php|html|gif)$

This will return a 403 forbidden error for clients if they request any uri that ends with .php or .html or .gif . You can add more extensions to the pattern using a bar | .

Improve this answer

Comments

1

I like both @Chris Lawlor's and @starkeen's answers and since OP asked about "40x" I'm going to suggest redirecting to a 404 error since it doesn't give away the fact the files exist.

This is what I'm currently using in one of my projects:

# Hide files not concerning the user
RedirectMatch 404 \.(htaccess|htpasswd|ini|log|sh|inc|bak|bkp|sql)$
Improve this answer

Comments

1

@Dário has the right idea for File Types, and it can also be used for specific files and directories as well. The only thing that is missing is to manage case sensitivity.

I came across this article that gives some detail about case-sensitive RedirectMatch, and also suggests being character case non-sensitive.

When it comes to redirecting most requests, its all lowercase anyway. Or you can use RewriteRule to establish case-insensitivity. But for some situations, it’s good to know that you can also roll with RedirectMatch by simply adding the (?i) to the rule.

RedirectMatch 403 /\$\&
RedirectMatch 403 (?i)/\.(bash|git|hg|log|svn|swp|tar)
RedirectMatch 403 (?i)/(1|contact|i|index1|iprober|phpinfo|phpspy|product|signup|t|test|timthumb|tz|visit|webshell|wp-signup).php
RedirectMatch 403 (?i)/(author-panel|class|database|manage|phpMyAdmin|register|submit-articles|system|usage|webmaster)/?$
RedirectMatch 403 (?i)/(=|_mm|cgi|cvs|dbscripts|jsp|rnd|userfiles)
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.