A RewriteRule in htaccess problem


I am setting my .htaccess file and I need to let web server serve the file requests coming from the code only not by entering their names in the URL.

So, I have searched a lot and found several ways, the most comfortable way is the following:

RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
RewriteRule \.(jpg|svg|png|htaccess?)$ - [F]

A quick note: first line checks whether the request is coming from the host itself, if not, so the requested URL is typed into the address bar. Second line will be executed only if the condition in the first line is TRUE, and will forbid access to files with extensions .jpg, .svg, etc.

Now, I have two problems:

  1. When I type the path to access .htaccess file in the address bar, it deactivates my SSL on the website and marks my application as dangerous rather than block my request.

  2. Any files with extensions mention in the RewriteRule will NOT be blocked in first request (i.e. if I request a file for the first time, the rule will not take place and the web server will serve it and display the content of it, if I request it again, the web server will block access to it. This happens every time I hard reset the cache. This means me or any someone else can have the access always to the file listed above as long as the cache is cleared before the request).

In my friend’s hosting provider (not InfinityFree) the same two lines I put in .htaccess are perfectly executed from the first time and block the content, so clearing the cache is useless and will not be able circumvent access these files.

To sum up, I do not want access to my files from typing its path in address bar, but I do want my application to access these files from requests written in the code.

Thank you, and I wish you a great day.

For the SSL problem, try changing both “HTTP” to “HTTPS”, for the other, .htaccess if way to confusing for me to figure out. If you could provide a domain, that would help out as well.

Sorry, but my question is not about HTTP or HTTPS at all, I already set that by the following lines:
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Thanks anyway, but my problem regarding the url redirection.

Are those lines after the redirection ones? If not, your reduction rules are probably moving the site back to HTTP. Try changing the HTTP to HTTPS

1 Like

No, the redirection rules is first, then the HTTPS rules next. Now let me try to remove everything from .htaccess except the redirection rule and I will respond soon.

1 Like

I removed everything from .htaccess except the redirection rules but the problem still exists. I make a short video that illustrates my original problem, and I think this is a web server issue, hope Admin see my post and reply.

Note: some information are hided because the application in development phase and not ready to be published. Thank you for your understanding.

.htaccess rules are evaluated from top to bottom. So maybe you want to move the HTTPS rules to the top of the file.

We have a security system that checks whether the request is coming from a regular web browser. This article explains it in more detail:

One of the things it does is intercept the first request, do the challenge and then redirect the visitor back to your website. This means that on the first request, the Referrer will show your own website.

This is why the first request does allow access.

Unfortunately, there isn’t really a way to work around this.

I don’t quite understand why you’re doing this though. Please note that the Referrer header is sent by the browser, so it’s easily manipulated. It’s not useful for security to rely on rules like that.

1 Like

I don’t understand why this system checks a specific condition and if the condition is FALSE, it evaluates TRUE at first time!

The problem is that any visitor will visit my website and type in any file name on address bar, web server will show him/her the content of the file. Where is the security system in this point?
In contrast, this is a vulnerability because the challenge done on web server will fail at least one time!
If the challenge is something like for example doWhile, in my view it’s preferable to use whileDo.

The condition checks for the Referrer header. The first time the request hits your actual site, the request IS coming from your domain, because it was just redirected by our security system.

There is no security system there because you can’t secure against that. A client either has access to a URL or not. And if you want to embed a link in your site, you have to give the client access to that link.

Like I said before:

Please note that the Referrer header is sent by the browser, so it’s easily manipulated. It’s not useful for security to rely on rules like that.

Blocking access based on the Referrer header is script kiddie level security. It’s the level of blocking the right mouse button with Javascript to prevent someone doing View Source in their browser, and about as easy to bypass. It adds zero value and can be bypassed in minutes by anyone who has the slightest clue about how HTTP or a web browser works.

Go on any big site, and view their assets. Here is a direct link to the Google Search logo: link. You can just view their code in your browser without restriction. But you may think: these are big companies, they need to protect your assets! But they know that showing an image on a website inherently requires giving clients the ability to download the image, so any attempt to restrict that is pointless, because any method which actually works would also break the site the asset needs to be embedded on.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.