Home/ Questions/Q 8171423
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T21:27:23+00:00

we have a config.inc file in our website, that directly opening in the browser

  • 0

we have a config.inc file in our website, that directly opening in the browser window. It has some credentials written in that config.inc file. how to avoid that opening from the browser. 

eg. www.example.com/config/config.inc
output
<?php 

some credentials

?>

any sugesstions

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    1.Put it outside of your web root (RECOMMENDED)

    2.Use htaccess to block .inc files

    <Files ~ "\.inc$">
  Order allow,deny
  Deny from all
</Files>

    3.Put a quick check at the top of the file that checks for a variable. If that variable isn’t set then you know it is being pulled up directly and should exit immediately:

    <?if(!defined('IN_SCRIPT')){header('HTTP/1.0 404 not found');exit;}?>

    4.Add a php extension to the file name so it is parsed as PHP or tell Apache to parse .inc files as PHP

    AddType application/x-httpd-php .inc
    • 0