I'm trying to disable directory access, the only thing in my .htaccess file is:

Options -Indexes

However, it is blocking browser access to individual files, returning a 403.

Could it be related to the disabling of hot linking?

When you access files through a browser, you are using it "Public" permissions. So If U have disabled directory access, you cannot access files through your browser. You can use chmod 666 to deny any writing permissions to the directory & only allow read permissions.

Alternatively, You can password protect the directory. Here are the steps:

*** Do not follow the steps below if you are using FrontPage extensions on your site. Doing so will break your extensions and will keep you from publishing from Frontpage. If you are creating your content in FrontPage, we recommend you use FrontPage to password protect folders. ***

Login to the Bluehost.com Control panel
Choose "Password Protect Directories"
Click the folder icons to browse into your folders if the folder to be protected is not on the list
Click on the name of the folder to bring up the protection screen.
Check the box next to the lock icon and provide a "resource name" (you can change it later if you would like)
Click save
Click go back
Type in a username and password
Click add/modify user

Once you click Go Back, you should see your user under the list of users. Repeat the last step for any extra usernames you would like to add.

Also, any information or links under the folder you password protect will ask you for the password again.


hope this helps.

Thank you navsguardar, this helps. Although, is it possible to allow file access through the browser but prevent directory access?

I have no problem allowing a user to use a browser to get to: www.myurl.com/images/1.jpg

But do not want them to be able to view the directory at: www.myurl.com/images/

Ohh that is **** simple. Just place a blank index.html file in your directory. Thats it. In fact this is a very important practice if you do not wish to show the files in the directory & should be done to all your directories, if not required otherwise. One more thing, Do chmod 444 (read only) that index.html file to avoid any hacker writing any malicious code to the file if they ever get an access.

The easiest way to accomplish that is to just place an empty index.html file in that directory. Or index.php if that is your primary language. This is good practice for all web sites.

That way, if someone enters the path directly then they get a blank page. Since you are accessing the files directly with your script, the index.html file won't affect your site operation.

EDIT: Looks like we both posted about the same time!

Ah yes I should have thought of that. I also should have elaborated, any way to get that to return a 403 instead?

Deny using chmod directory permissions. Remove the execute permissions for all. Say like chmod 400. You can also use a custom 403 error page by putting this in your .htaccess file: ErrorDocument 403 /403page.html where 403page.html is a custom .html page you have written. The same rule applies to all 400 type errors like 404.

Sorry I am confused. chmod 400 just gives everything a 500 internal server error.

Change it back to what it was, 755 for folder, 644 for files, most likely.

If you really want a 403 out of it, then take a look at putting a redirect into the empty index.html file you have there to a non-existant path in your web site. That should generate a 403, but I can't say what it will do for normal operation. Either that or redirect back to your home page.

In any case, someone typing in the folder name trying to get a list of files will get the hint when an empty html file appears. I really think you are taking the problem to a level that isn't needed. My opinion only.

Great, thanks for the help!