Htaccess: Allow only gif, jpg and png images


Is there a .htaccess to allow only image/jpeg, image/gif and image/png to be loaded/executed/viewed? I’d like to not go by the extension (as that could be forged) by the actual type/handler or whatever it should be called.

I need to completely secure a directory so php files could in no way be parsed (even if they call it something.jpg and it’s php!).

Hope you understand what I mean,


A PHP file can be executed in your server only if it has a .php extension (maybe .php3 too).
So in case you are calling a php script as:
when the browser will ak for pippo.gif he will receive a normal text file instead.
It won’t executed in your local server at all,
so don’t worry…
The type/handler is related to the extension…



oh okay, i’m just wondering if there is anyway to stop it (just incase someone does happen to get this .php file on the server)?


yup, there is, and i can tell you what it is for $5

One way to do it is this:


# If the URI is an image then we allow accesses
SetEnvIfNoCase Request_URI "\\.(gif|jpe?g|png|bmp)$" let_me_in

Order Deny,Allow
Deny from All
# Allow accesses only if an images was requested
Allow from env=let_me_in

:slight_smile: Andrea

Perfect thanks Andrea.

Hi again,

How would I go about preventing people from hotlinking except if it’s a direct request or the referrer is from (*.) (please notice the wildcard).


I didn’t see you posted another question.

This evening I’ll elaborate a solution for you,
sorry again :smiley:

Would this do the trick?

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://**$ [NC]
RewriteRule .*\\.(gif|jpe?g|png|bmp)$     -            [F]