• 0

Prevent access to files using .htaccess


Question

Hi everyone,

I'm trying to use the .htaccess file to prevent type-in access to .js (javascript) files which are located in a /scripts folder

with:

<Files ~ "\.js$">
Order Deny,Allow
Deny from all
</Files>

I can block type-in access, but the pages cannot use the scripts. I add "Allow from 127.0.0.1" but no results.

I also tried:

Options +FollowSymlinks
RewriteEngine On

RewriteCond %{HTTP_REFERER} !^http://mydomain.* [NC]
RewriteRule .*\.(js)$ http://mydomain.com [R,L]

In this case, the scripts are functional, but the first time I type the location of .js file, I can get it open. Only when I refresh the page that I get redirected. I really can't understand why this happens...

I find this really useful to block hotlinks, but it's not always bloking type-in requests.

By the way, I have no access to apache configuration.

Any help would be appreciated.

Thanks

7 answers to this question

Recommended Posts

  • 0

The refer is the page/site that you came from to load the current page. When typing in the url, the refer i expect is going to be blank, however upon a refresh it seems that it is changed to the "previous" page displayed!

What your trying to do, afaik, isn't possible; however you go about trying to block access to the js files, they need to be sent to the browser, somehow, so it can use them, there's just no getting around it, however you do that, the code is going to have to be available to the browser for it to run it, and in doing so it automatically becomes accessible to the user too!

Think about it:

1) You could stick the js files in a dir outside of the web root, so they are inaccessible publicly, and then use a rewrite or php file to get to them, but that makes absolutely no difference...

2) You could encrypt them, and have a piece of unencrypted js that decrypts them and allows them to run; the average person couldn't see the code, but anyone with js skills could easily obtain a decrypted copy...

They have to be public one way or another, all you can do is make things a little more difficult, I'd just give up if I were you, it's not worth the effort ;)

  • 0

I utilize WHMCS which utilizes .TPL files.. The unfortunate part was that a user could access the filename.tpl file by typing it directly in (assuming they know the exact filename, which if you use the script, you know it..) Because of this when I was selling premium templates, some users were stealing it by simply manually going to all 40+ TPL files and seeing the hardcoded source..

To prevent them from access the TPLs BUT still allow them to be read by the server, I used the following:

 <Files "*.tpl">
Order Allow,Deny
Deny from All
</Files>

That sample tosses a 403 Forbidden when you access the file in any browser BUT the server can still access it. For example:

http://demo.mywhmcs.com/templates/portal/ -- This is a direct link to a template I'm not utilizing nor do I have it protected as it's a default template. Notice how you can see all TPL files (and others)

http://demo.mywhmcs.com/templates/macish -- This has an .htaccess file tossed into it preventing TPL files from being shown. Notice when you view http://demo.mywhmcs.com, you're able to view the site with NO issues despite the fact that everything is powered from TPL files.

BTW, ignore the **** design on there ;).

The reason why your snippet is not working is because the ORDER of the 1st line is crucial. You can read about it on apache.org. :)

Edit: Bah, I see it's for .js though--That's not possible, sorry! Same with not being able to do it with CSS, etc.

  • 0

As far as I know, if it needs to be downloaded to the client, you can't restrict direct access since that's how the browser will obtain it too, as theblazingangel said.

There are a couple of ways you could go about making it hard though:

  1. Try Google's "Closure" compiler which will optimize, and then obfuscate (as a result of optimization), your JavaScript and make it hard for humans to read. This is the easiest and probably the optimal solution.
  2. Try loading your scripts through a PHP file that detects whether or not the request was automated by the browser loading the script, or manual by a human trying to view it. I still don't know if its possible like this, but its perhaps worth looking into if you're THAT concerned.

  • 0

The key here is understanding the difference between server side and client side code. Server side code can - and should - be 100% hidden from the user. This includes PHP, .NET, and all that kind of stuff.

JavaScript, on the other hand, is like HTML and CSS. It needs to be read by the browser - and if the browser needs to read it, humans who are interested in reading it will be able to. There isn't a way to block access to JS files, because if humans can't access it, browsers won't either ;)

  • 0

Thank you all for the answers!

I thought there was some variable (like HTTP_REFERER) that saves the url from the address bar, so I could compare it, and if ends with .js or any other file i wish to prevent typed-in access, i redirect to an error page. If the request for the file came from the browser or the server, no action is taken.

This means i can't prevent typed-in access to .js .css .txt or image files that will be used by the browser?

  • 0
  On 30/05/2010 at 04:05, andressito said:

Thank you all for the answers!

I thought there was some variable (like HTTP_REFERER) that saves the url from the address bar, so I could compare it, and if ends with .js or any other file i wish to prevent typed-in access, i redirect to an error page. If the request for the file came from the browser or the server, no action is taken.

This means i can't prevent typed-in access to .js .css .txt or image files that will be used by the browser?

the referrer header tells you the page the user came from. in other words, the page they were previously on, not the current one.

it is extremely unreliable since it is easily spoofed (just like all browser headers), and very often is simply empty because a) the user didn't visit anything before your page; or b) more likely, their browser/security software is configured not to send any referrers, for privacy/security reasons.

for future reference, if you're writing anything that does anything at all, never rely on anything the user sends to you.

you can prevent type-in access to the files, but it's pointless since you will eventually be sending the whole content to the user anyways. say, for example, you put all your files in a directory that's forbidden to the public, and have a php script which reads the files and serves it back if a certain variable exists, and you set the variable in the index file. this way you've effectively prevented type-in access in the strict sense, but the php script is still giving the user an exact copy of the file. this is useful in some circumstances, but not very many, and it certainly won't protect the contents of your files. anything that you have to send to the user, can't be protected.

  On 31/05/2010 at 21:38, andressito said:

I can protect a folder or have a login check to a page, but I can't protect .js or image files from direct download, just hotlinks?

hotlink "protection" also relies on referrer headers, it's much more trouble than it's worth.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • That makes no sense. Of course the average user knows that Edge exists, because it's built into Windows as standard. Hence the normie joke about it just being a downloader for Chrome. People use Chrome because Google have spent the past 15+ years aggressively ramming it down people's throats through massive advertising campaigns, both on their own services and beyond. It's become just the standard internet browser and the average person doesn't care enough about the minutiae of browser differences to switch. Mozilla and Firefox simply cannot compete with Google and Microsoft when it comes to getting Firefox's name out there. They don't have a platform like Google's network of websites or Windows to constantly push adoption. The idea that people pick a browser based on milliseconds of page loading time that's imperceptible outside of a benchmark is nonsense.
    • Microsoft Weekly: useful PowerToys modules, Microsoft Store updates, and video gen in Bing by Taras Buria This week's news recap is here, bringing you the latest stories from the Microsoft world, including useful PowerToys modules, fresh Windows 11 preview builds, AI video generation in Bing, Office updates, gaming news, and more. Quick links: Windows 10 and 11 Windows Insider Program Updates are available Gaming news Great deals to check Windows 11 and Windows 10 Here, we talk about everything happening around Microsoft's latest operating system in the Stable channel and preview builds: new features, removed features, controversies, bugs, interesting findings, and more. And, of course, you may find a word or two about older versions. This week's Windows 11 section kicks off with some stats. StatCounter published its monthly report, showing that Windows 11 slowed its climb a little bit in May 2025. On the gaming side, however, things are much better, with Windows 11 occupying the majority of PCs on Steam. Now, here are some Windows updates you might have missed. Windows 11 versions 23H2 and 22H2 received KB5062170, a small emergency patch that resolved errors when installing recent updates. The patch is available only through the Microsoft Update Catalog, and the company recommends installing it only if your system experiences the 0xc0000098 code when installing the May 2025 security update. Finally, Microsoft released a new Defender update for Windows 11 and 10 installations, fresh recovery updates, and a script for recovering the inetpub folder, which showed up unannounced on systems in April. As Windows 10 is getting closer to the end of support, more companies are urging users to switch. AMD, Dell, and ASUS all urge users to prepare for the "mandatory Windows 11 upgrade," while other companies shamelessly poach Windows 10 users, luring them to Linux. To finish this week's Windows section, here is an ancient CD-burning app that made a surprising 64-bit comeback and now works on modern operating systems, including Windows 11. Windows Insider Program Here is what Microsoft released for Windows Insiders this week: Builds Canary Channel Build 27871 This week's Canary build introduced Start menu improvements (more Phone Link features), small taskbar tweaks, and a long list of various fixes to improve different parts of the operating system. Dev Channel Build 26200.5622 (KB5058512) This build brought new Click to Do features, a dedicated Settings section for Quick Machine recovery, improved Windows Widgets, a new spec card for the Settings app, and a few fixes here and there. Build 26200.5622 also contains a new "Your Device Info" card on the Settings Home page, which makes it easier to find your computer's specs with fewer clicks. Beta Channel Build 26120.4230 (KB5058506) This one is almost identical to build 26200.5622 from the Dev Channel. Release Preview Channel Nothing in the Release Preview Channel this week Besides new builds, Microsoft announced a new update for the Windows Photos app, which is now available to Windows Insiders in all channels. The update introduces AI-powered light controls (Relight), which let you place and control up to three light sources on your photo, and AI-powered search with natural language support. Updates are available This section covers software, firmware, and other notable updates (released and coming soon) from Microsoft and third parties, delivering new features, security fixes, improvements, patches, and more. Microsoft announced a batch of new features for the Microsoft Store. The app is getting an improved Home page with personalized recommendations based on your recent activities, region, and deals. Search now considers additional information when ranking apps in the results, and a Copilot button lets you ask AI about a certain app. Microsoft also brags about significant performance improvements under the hood. This week, we had plenty of various Office updates. Microsoft 365, for one, is getting significant changes to its update channels beginning July 2025. Rollback support will be expanded to two months, the Semi-Annual Enterprise Channel (Preview) is being deprecated, and the Semi-Annual Enterprise Channel will be supported for eight months instead of the current 14. Microsoft also announced the general availability of the new Message Trace in the Exchange Admin Center in Exchange Online, some big updates for the new Outlook for Windows in the June 2025 update, and acknowledged a few issues with Outlook after a recent Calendar feature upgrade. Teams is also getting a "major" change for third-party app settings, and Word is getting SharePoint eSignature support. Bing received a surprising update this week. OpenAI's Sora video generator is now available for free in Bing Video Creator. Now, you do not have to pay for an OpenAI subscription to generate short videos using AI. Way to boost Bing stats, Microsoft! PowerToys Run, a useful and convenient launcher for Windows 10 and 11, recently received three new third-party modules that let you test your internet speed, download videos from hundreds of websites, and check out word definitions, usage, synonyms, and more. Microsoft announced some long-requested changes for Microsoft Edge, but only for those living in the EEA region. Windows will no longer annoy you with setting Edge as your default browser, and Windows Widgets will respect your default browser. Also, Microsoft will let you uninstall the Microsoft Store app, and Windows Search will be able to use other search providers. Speaking of browsers, Microsoft published a blog post that explained why Edge is a faster and smarter alternative to Chrome. If you are picking between the two, the article might help you make the choice (Google has an answer to that with its own article explaining that Chrome is now faster than ever). Also, the company released Edge 138 in the Beta Channel, bringing some important changes and new features, such as a new (sort of new) media control center, AI-powered history search, and more. Here are other updates and releases you may find interesting: Microsoft expanded LinkedIn's CEO role to manage Office apps. Microsoft announced the general availability of two new reasoning AI agents: Research and Analyst. Microsoft and Crowdstrike announced a partnership on threat actor naming. Microsoft will invest $400 million in Switzerland to bolster cloud and AI infrastructure. The annual Build conference is moving away from Seattle. Here are the latest drivers and firmware updates released this week: Intel 32.0.101.6876 non-WHQL with support for four new games and a single fix for intermittent display artifacts. Nvidia 576.66 Hotfix with patches for FC 25 crashes, video bugs in browsers, and more. In addition to that, Nvidia released a new version of the Nvidia App, which introduced a light theme (and automatic theme switching), support for more games, and some bug fixes. AMD Software Pro Edition 25 Q2 with support for Windows Server 2025, new Ryzen processors, and a few fixes. AMD Radeon Software 25.6.1 with the RX 9060 XT support and FSR 4 support for more games. On the gaming side Learn about upcoming game releases, Xbox rumors, new hardware, software updates, freebies, deals, discounts, and more. Hello Games continues relentlessly improving No Man's Sky. The game's latest update, "Beacon," was announced this week. It offers space explorers overhauled settlements, player overseer duties, and much more. The update is now available on all supported platforms, including Nintendo Switch 2. The Witcher 4 from CD Projekt RED might be a few years away. Still, at the State of Unreal 2025 keynote, the developers revealed a tech demo showcasing the capabilities of Unreal Engine 5 on the base PlayStation 5, which managed to pull it off at a solid 60 FPS. Nvidia announced new games that are now available in the GeForce NOW cloud streaming service (you have to own them to play them). The latest drop is a massive one: 25 new games, including FBC: Firebreak, Dune: Awakening, 7 Days to Die, DREADZONE, and more. Game Pass is also getting new games, and the first drop in June is also a pretty big one. You will soon get access to Kingdom: Two Crowns, EA Sports FC 25, FBC: Firebreak, Crash Bandicoot 4: It's About Time, The Alters, and more. Some games are leaving the service, so check out the full list here. Xbox Games Showcase 2025 is happening today. With the show kicking off in just a few hours, check out our recap of what to expect at the show and how to watch it. On the hardware side, we have a new Xbox Storage Expansion Card from Seagate. At a whopping $429.99 price tag, the new card offers an immense amount of space for your games, doubling that of the previously biggest expansion card. Now, you can get an Xbox Storage Expansion Card with 4TB. By the way, it costs as much as the 1TB Xbox Series S. Deals and freebies If you are looking for some new games at lower prices, check out this week's Weekend PC Game Deals, which covers multiple specials and discounts, including some freebies, such as Deathloop from the Epic Games Store. Other gaming news includes the following: Ubisoft is skipping its Forward game showcase for the first time since 2020. Valve released a new beta version of Steam for Linux to address sluggish update installations. Elden Ring Nighteign received its first update with reduced difficulty for solo runs. The Expanse TV show is getting a narrative-driven sci-fi action RPG. Black Myth: Wukong is coming to Xbox in August. Atomic Heart is getting a sequel and an MMO RPG spin-off. Great deals to check Every week, we cover many deals on different hardware and software. The following discounts are still available, so check them out. You might find something you want or need. Crucial X10 8TB Portable SSD - $439.99 | 44% off Apple 2025 MacBook Air 13-inch Laptop with M4 chip - $849 | 15% off 4TB WD_BLACK SN7100 PCIe Gen4 Solid-State Drive - $249.99 | 16% off SAMSUNG Q-Series Soundbar HW-Q900F - $997.99 | 29% off KEF Q Concerto Meta Three-Way Bookshelf Speaker - $1,199.99 | 14% off This link will take you to other issues of the Microsoft Weekly series. You can also support Neowin by registering a free member account or subscribing for extra member benefits, along with an ad-free tier option.
    • No, they aren't because they don't do with that online advertising, they sell with that "spots" in their store. Apple is not an online advertising company. The business model of Microsoft ads is exactly the same with Google ads. They both are ad companies which do online advertising and make though their sites user profiling. Just because Microsoft never managed to be as successful as Google in that business that doesn't mean they are not exactly what Google is. An online advertising company. Both Google, Microsoft and Amazon are online advertising companies. Apple isn't.
    • I'm lost without clippy.
    • Read the books, watched the show. Wish they'd continue the show.
  • Recent Achievements

    • Week One Done
      LunaFerret earned a badge
      Week One Done
    • Week One Done
      Ricky Chan earned a badge
      Week One Done
    • Week One Done
      maimutza earned a badge
      Week One Done
    • Week One Done
      abortretryfail earned a badge
      Week One Done
    • First Post
      Mr bot earned a badge
      First Post
  • Popular Contributors

    1. 1
      +primortal
      483
    2. 2
      +FloatingFatMan
      262
    3. 3
      snowy owl
      240
    4. 4
      ATLien_0
      227
    5. 5
      Edouard
      185
  • Tell a friend

    Love Neowin? Tell a friend!