Home/ Questions/Q 8833653
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T08:49:54+00:00

How can I redirect via .htaccess file, that only the index.html can be accessed

  • 0

How can I redirect via .htaccess file, that only the index.html can be accessed via URL.
I already got this:

RewriteEngine on
RewriteBase /
Options +FollowSymlinks

RewriteRule ^/?login/?$ /php/login.php [NC,R=301,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.html [L,QSA]

It works fine if somebody types in for example “www.mypage.com/skd/lasnd”
but if somebody types in a file which exists on the webserver, e.g. “www.mypage.com/php/login.php”, he will be redirected to that page. How to forbid that?

To be more exact: my JavaScript & PHP scripts should be still allowed to access to every file on my webserver.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    These lines:

    RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

    are conditions “if REQUEST_FILENAME is NOT a file, if REQUEST_FILENAME is not a directory” and if both are met then RewriteRule is taking place. This is usually to allow “friendly urls” to work and at the same time to not rewrite any images, css etc. You can block access to files with many ways, but you have to take care to not block too much (like said images etc). The simplest approach would be to put your files in subdirectory and add another .htaccess file in that directory with line

    Deny From All

    This will make httpd reny any request to whatever is in that directory and subdirectories (unless another .htaccess overwrite these rules) while your scripts will be able to access them without a problem.

    I strongly recommend do read mod_rewrite docs

    EDIT

    There’s no “my javascript” and “their javascript”. There’s request and that’s all you can tell for sure. You cannot tell which access yours and which is not. “i only want to deny request via typing in the browser adress line” – you can’t tell that either. You theoretically could check REFERER, and if there’s none set then assume it’s direct hit, but REFERER comes from browser so it can be faked as well. And I personally block all REFERERS by default, so all my requests are w/o any REFERER even these not direct. You could try cookies, but again – these can be be grabbed by script and sent back too. The only real option is to Deny from all to these files and “tunel” them thru some sort of script (i.e. PHP) that would do i.e. file() on target file only if user authenticated himself previously using login and password. Any other attempts are broken from the start.

    • 0