How to make file in my website only accessible by serverside?

Username (e.g. epiz_XXX) or Website URL

So I have this file in my htdocs, called “data.json”. The user can just go to to see everything inside. So how do I make it only accessible by serverside (ie. PHP), and when anyone else tries to go to it just says 404 or access denied?

create an .htaccess file with this content:

Require all denied

this will create 403

But first, you should move that JSON to some subfolder where the .htaccess file will be

because if you put it on root (.htaccess file)
probably some basic things from your website will not work online

if you just want to hide the contents of the folders (but it will be accessible to everyone who knows the path)
then you can use this

# Disable Directory Listings in this Directory and Subdirectories
Options -Indexes

and it is recommended !
and do that by putting the .htaccess file with this content on the root


Hi, thanks for the quick reply. I was reading this stackoverflow answer, php - Only allow script from server to access files - Stack Overflow and I am confused about two things the author said.

,,If you for some reason need one PHP script to execute another via HTTP’’


,,If you need JavaScript documents on the client side to not access these files, then this cannot reasonably be done’’

I’m a complete noob at this. What do they mean by PHP script executing another via HTTP? Isn’t everything in a PHP file done via PHP or something? Also, doesn’t doing what the author said deny all access via client side, ie. Javascript? Why does he then say that making Javascript not be able to access the denied files, impossible?

Also, what do you mean by disabling directory listings? Does it hide the directory in ftp or something? Or does it make it invisible to people who want to view the file system of my website?

Lastly, can I just do “Require (specific file) denied” and still put the file I want to hide, inside the root folder?

1 Like

That’s why I emphasized that the best solution is to put all the files you want to restrict/hide in a subfolder
so you don’t have to think a lot or constantly edit .htaccess file in case you have more files and so on

e.g. if you have a folder named “secret” and in it that .htaccess file (plus files)

whoever tries to come to your domain/secret/ will get a 403 error.

that means if, for example, you have a css folder here

if someone comes to the address of that folder
the server will show him the files that are there
and that behavior is disabled with the code I mentioned.

yes - click me

Don’t be confused by older and newer versions of code for Apache

The server is Apache 2.4+
but in most commands, it also supports older forms for previous versions

so both should work

<Files "log.txt">  
  Order Allow,Deny
  Deny from all

VS Apache 2.4

<Files "log.txt">  
  Require all denied

Can you explain to me what the author of the stackoverflow answer I linked in my previous comment meant?

HTTP = site visitors who of course use the http protocol
means they access your website through a browser by asking for the url or following your menu

PHP = serverside

And the author gave additional clarification (link to article) for order : allow and deny
which if you read, you will see that it is not the same which of these do you put first

but I don’t think you need to bother with it when you got all the answers above


So what do they mean when PHP executes another PHP script through HTTP? Shouldn’t that be impossible since HTTP is client sided and PHP is chiefly server sided?

And what do they mean by it being unreasonable for JS documents on the client side to not access files hidden via htaccess? Isn’t that the entire point of hiding files from the client with .htaccess — ie. to make it inaccessible to clientsided JS?

I am so confused here.

He probably means the menu

if you have a file called index.php (home page)
and in it the menu for the about.php page
of course index.php will call the about.php page and display it in the user’s browser
when the user clicks on a button or text link.
That would mean HTTP req !

Javascript is run on the user side
the browser has that in it (uses the user’s CPU, RAM, etc.)

PHP is executed on the server and uses server resources (CPU, RAM, etc.)
php can call other files, create new ones, can also delete them and so on.

HTML code can be seen (by browser or xy…)
while the PHP code cannot be seen, only the generated page by the server, which is then displayed to the visitor.

He corresponds to a specific request from the OP (in the initial question)
so don’t bother with it
he doesn’t talk in general terms or mention some golden rule

And please don’t turn this topic into endless questions because this is a support category
not for educating people in depth or commenting on someone’s post on some website.


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.