I have my .htaccess file, and I have a folder with config files in there, and they contain sensitive content, e.g. database details etc. What I would like to know is, how can I block access from a browser, but allow them to be accessed via my scripts?

I know that this can be achieved inside the PHP files themselves, but I’d rather use the .htaccess approach where possible.

Is this actually able to be done? I’ve attempted it before, but in the process of denying access to the file from the browser, it also denied access from the coding.

I have looked into this before, and some of the answers I came across suggested changing the extension to something like .inc, and then denying access to that. However, a couple of issues I have with that is that a) It instantly alerts anyone that can see that filename, for whatever reason, that it is a config file. Also, b) If my denial code breaks, browsers will not parse it as a PHP file, but rather an inc file, meaning it will print the code in the browser.

Basically, can this be done within a .htaccess file, or do I need to put something in the header of every config file?