Files on server security

This has been bothering me for a while, How to stop the ability to access files on the public HTML eg: url/images, url/assets, url.css . Hope I am explaining ok, do not want visitors to enter url followed by either /images, /assets , /css and view these complete files.

Well, you didn’t say all that now . . .

Well it didn’t sound like the OP was running their own server :slight_smile:


My 1st method will work for all web servers, the 2nd method should (depends on your host) work if you’ve got Apache based hosting.


Hi guys,
Thanks for your help, i want to be able to lock out the the folders housing my assets, images, css, js, menu and any other folder used to store files or documents, and only allowing access via a link for a particular image and not have the situation where they can input url\image and view the complete folder. ‘Trying hard to explain properly’:frowning: . eg link to url\image\photo1.jpg is ok but url\image to view the complete contents of the folder is not ok.

The webhost i use, runs a Linux server

Ok, you want to turn off directory browsing. Not sure what you are running on and how to fix . . .

But you want people to see/use those files on your website right?
If so, you need to check the HTTP_REFERER in a .htaccess file and deny access if the referrer is not your website.
A tutorial is here:

Note: since HTTP_REFERER can be spoofed by users this method is not 100% foolproof, but it’ll work in the majority of cases.

^^^Not exactly. Wouldn’t work on IIS out of the box as index.html isn’t in the default documents list. Ok, it might be there on 7 or 7.5, haven’t looked yet . . .

Not out of the box no, but I’d wager 90%+ of hosts using IIS have it in there to prevent support tickets asking why it doesn’t work :slight_smile:


Do you mean you don’t want them to be able to directly link to the files? Or that you don’t want them to see a list of them when they go to /images for example?

If the latter then there are two options:

  1. Create an empty index.html in the directory


  1. If you’re running Apache, create a .htaccess file in the folder (or even in the root of your website to apply to all sub folders) with the following in it:

Options -Indexes