Home/ Questions/Q 8524463
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T07:41:37+00:00

I have a file that I don’t want to be accessed by anyone except

  • 0

I have a file that I don’t want to be accessed by anyone except my own server (by php request). I am using the following in my .htaccess:

<Files myfile.xml>
    Order Deny,Allow
    Deny from all
    Allow from localhost
</Files>

But was wondering, how secure is this? Is there anyway that someone might be able to get around this and get to the file directly?
In my php file I have:

simplexml_load_file("myfile.xml")

To get the data and also am using

if(isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest')

So no one can access that file directly (only by Ajax)
What do you guys think about using this method?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Since you’re directly naming a file, it’s only secure if myfile.xml is the ONLY way to get at that file. If someone has shell level access to your server, and can create a hardlink to that file using a different name, e.g. ln myfile.xml heehee.txt, then they’ll be able to get the file’s contents vi heehee.txt, because they’re not getting at it via the ‘myfile.xml’.

    Best practice is to keep files outside of the document root entirely. This doesn’t stop the symlink/hardlink attacks, but it does keep certain bypass attacks at bay.

    • 0