Preventing public access to hidden files and special directories
This note describes how to block hidden files and special directories from being requested by the server.
Sometimes the public document directory contains files or directories that act in a supporting role, which shouldn't be accessible to the public. The server can be configured to block access to these files using the
Typical scenarios for this include third-party directories and hidden files. For example, metafiles that are used by software in the creation, versioning, and maintenance of a website, are typically placed under well-known directories. Also by way of example, filenames starting with a dot are often used to indicate that they are hidden files. By default, the server does not block access to either of these. Determining which files and directories are off-limits is up to the webmaster.
When properly configured, attempts to access these files using HTTP will fail with status code
forbidden section is used to configure file pattern blocking. It comprises a collection of entries, where each entry is a path-pattern.
Refer to the separate note regarding Path Pattern rules.
forbidden module must be
on to be effective.
forbidden configuration section is subordinate to the
request section; it may appear in either the
server section or a
host section. When values occur in both the
host sections, they are merged according to the standard rules defined for the
When a file is blocked, a status code
403 is returned and a
rw-forbidden information header is added to the response.
|file-system-chars||::=||(ALPHA | DIGIT | †)*|
|wildcards||::=||ASTERISK | QUESTION-MARK|
|path-pattern||::=||(SOLIDUS | file-system-chars | wildcards)*|
|delimited-path-pattern||::=||GRAVE-ACCENT path-pattern GRAVE-ACCENT|
|forbidden-section||::=||'forbidden' SP LEFT-CURLY-BRACKET CR|
† Legal file system characters vary by platform
Example 1: forbidden module off
Example 2: filename or directory matching
Example 3: matching paths with trailing wildcards
Example 4: matching paths with leading wildcards
Key points to remember:
- Blocking access to files is done with pattern matching that may optionally include wildcards.
- Always delimit path-patterns with GRAVE-ACCENTS.
- Patterns almost always begin with a SOLIDUS or an ASTERISK.