Restrict access to script and images

hi all

i want to restrict access to users from my images and scripts folders. so that they cannot write full path in the browser and access and save my images and script files.

i am writing in my htaccess file in images and scripts folder

Order Deny,Allow
Deny from all

This code restrict complete access. this code doesnot allow my own site to view images. means with this code i m not able to view images and apply scripts in my own site.

how can i make images and script appear in my website but restrict direct access to any user typing direct path and saving it.


if you block others in the htaccess, you are blocking all.

if you use cpanel, you should have hot link protection in there. Use that so people can’t link to your images remotely.

If you don’t want people to browse your folder, simply put a blank index.html file in there and that will solve the browsing problem. People will have to know the exact address in order to see the file.

I don’t fully understand why you would have this information on your server, if you don’t want anyone to see it, so you should establish what really needs to be on your server, and what does not.

To stop hotlinking of your images from other sites and display a replacement image called nohotlink.jpg ( for example) placed in your images directory, place this code in your .htaccess file inside your public_html:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Replace mysite with your domainname, this would avoid images to be copied.

hi lavico

acutally my scripts folder contains some paid script.

thats why he dont want to give open access to anybody.

like any external javascript file works only if we write path of that javascript file in the head tag.

if the outsider knows the path of the script he can easly use it.


All anyone has to do is to load a page from your site and then download the scripts and images. If you block them from being able to do that then you block your page from being able to use them as well.

I spent a long time looking for help on this and seem to have found a very good solution. I know this is an old thread, but hope what I’ve found will be helpful.

In searching for a way to restrict direct access to images on a website (ie. typing in the URL for the image in the browser address bar and showing the picture in the browser), while allowing my own pages access to the images for displaying, I’ve found the following:

  1. while cracking a site by uploading an image with embedded code seems less likely, it does happen. One of my sites was cracked this way. So restricting direct access to images is important (not everybody seems to realize that file uploads can pose a serious security risk). This document seems to have most of the bases covered when uploading files to a website safely: – restricting direct access to images seems to be the toughest part of the game.

  2. uploading images to a folder outside the public_html folder restricts access completely. Couldn’t find a way to allow my own pages to display those images.

  3. while many people seemed to have the answer by using .htaccess file in the root directory, when I applied their code and substituted my domain in their code, it never worked. Some people on the web insisted this was an impossible solution.

  4. one person on some forum suggested going into the cpanel and running the “Hotlink Protection”. I did this and found that the cpanel merely added some code (and quite adeptly) to my root .htaccess file. Code looks rather similar to what many others are showing, but actually works on my site where theirs didn’t.

  5. While I’ve included my version of the code below, you may need to take the route I did and use “Hotlink Protection” from the CPanel to get this to go on your own hosting service.

# The following code was added by the cpanel when setting "Hotlink Protection".
RewriteCond %{HTTP_REFERER} !^*$      [NC]
RewriteCond %{HTTP_REFERER} !^$      [NC]
RewriteCond %{HTTP_REFERER} !^*$      [NC]
RewriteCond %{HTTP_REFERER} !^$      [NC]
RewriteRule .*\\.(jpg|jpeg|gif|png|bmp)$ [R,NC]
  1. The last line that includes “no_access.php” is the redirect when someone tries to “hotlink” to an image on your site, or when someone types in the direct URL to an image on your site into the address bar. Mine just says, “You can’t do this!”.

Now when someone tries to “Hotlink” to an image on my site, or types the path to an image into the browser, they can’t do it… but my own pages are able to serve up the images.

Hope this helps.

# The following code was added by the cpanel when setting "Hotlink Protection".
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteRule .*\\.(jpg|jpeg|gif|png|bmp)$ [R,NC]

That looks awfully redundant. You don’t need no 6 stinkin lines : )

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\\.)?your_?domain\\.com/.*$ [NC]
RewriteRule \\.(jpe?g|gif|png|bmp)$ [R=301,L]

bmp? : )

Instead of a line for maybe www, just make it optional. If you really don’t know if your domain has a _ in it, then you’re prolly in trouble for other reasons : ) but let’s say you own both then you can add a possible _? as well.
You don’t need NC in your rewrite rule: you should have set a specific case your your file system (esp Linux!) so leave NC for the actual domain.

Set a type of redirect. 302 is the default if you don’t state it, so make it 301 permanent.

You can use REMOTE_ADDR in your RewriteCond to set that the files can only be reached by your IP. Find a post by dklynn and in his sig he has a rewrite tut that shows all of those.

(though it didn’t look like vineet wanted to stop hotlinking)

Yes, and if Apache can’t find index.html somewhere, you should also have
Options -Indexes
set as well (mod_autoindex).



It wasn’t worth my whining about the four statements when only one was necessary (I do too much of that “pedantic ranting” as it is) but that was the FIRST thing that came to mind when I saw his code. Thanks for your post - spot on!