Restrict Downloading of Files by Extension

Published November 28th, 2008

Problem Statement

Often Web developers forget to delete the .old, .bak, .sql files when putting files in production servers. This could have serious security implications as a file called database.conf.php.old can easily be viewed on the Web browser using http://server/path/to/database.conf.php.old as it is not processed by Apache as a PHP script because of the .old extension. Such a scenario could spell security disaster for sites. Here we will show you how to block these extensions so that they are not downloadable/viewable via Web browser.

Disallowing file browsing/downloading for a given extension

In your virtual host configuration file or .htaccess file add:

<FilesMatch "\.(sql|bak|old)$">
    Order allow,deny
    Deny from all
</FilesMatch>

This tells Apache to not allow downloading of files with .sql, .bak, .old extensions.

Disallowing files that leading dot (period) character in the name

In Linux and other Unix environment, files with a leading period are often so-called hidden files. These files often contain history, commands and settings that are not to be shared with public. It is best that you setup your Apache Web server configuration as follows to disable browsing or downloading of these files:

<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

Category: Access Control, Security | Tags: