Stop visitors downloading files

Gandalf · March 4, 2025, 10:18am

I want to stop anyone from downloading certain file types from my site. I can deny access to one file type using

<Files "*.sqlite">
  Order Allow,Deny
  Deny from All
</Files>

but how do I disallow downloading of other types as well?

James_Hibbard · March 4, 2025, 11:23am

I’m not sure this is the best solution, but one option would be to block all file downloads except specific allowed types. For example (using Apache 2.4+ syntax):

<FilesMatch ".*">
  Require all denied
</FilesMatch>

<FilesMatch "\.(html|css|js|jpg|png|gif)$">
  Require all granted
</FilesMatch>

This blocks everything by default and only allows access to .html, .css, .js, .jpg, .png, and .gif files.

rpkamp · March 4, 2025, 4:49pm

Why are those files on the server in the webroot if they are not meant to be downloaded?

I would advise to put those files somewhere else on the server that’s not in the webroot of the website. Or if that is not possible create a private folder, stuff al private things in there and then deny full access to that folder.

Topic		Replies	Views
Apache disallow execution of two or more file types Server Config	1	600	October 8, 2014
Allow only certain extensions Server Config	4	552	September 7, 2010
Files on server security Server Config	10	846	October 10, 2010
Restrict access to files from a certain page/directory? Server Config	20	17563	October 8, 2014
How to Prevent exe files downloading using apache Server Config	1	706	August 14, 2010

Stop visitors downloading files

Related topics