Hello all,

I have searched for this in the forum but have found nothing so I am starting a new thread. I wanted your opinions on which you think is the best/most professional way to keep files safe from users; placing them in a directory above root or restricting access with .htaccess any why.

thank you all for your answers

Well, suppose you need to distribute your app to a server on which you do not have administrative privileges. This server allows you to have a .htacces file, but you can't do everything you want, so your site breaks, potentially exposing those files to the public. Or, suppose someone introduces an error into the main apache config file, accidentally disabling .htaccess. Or suppose you migrate you app to your brand new dedicated box, and simply forget to copy that file over (it's hidden from normal view, you know). Then, when you realize what you've done, having found of your private files all over the net, you upload the file, only to realize several weeks later that you accidentally disabled .htacces in your main config file.

... I think there's a decent list of possible mixups that justify not relying on .htaccess for security. In general, keeping your private data above the document root safeguards you against a great deal of possible human error events, and possibly even a good deal of possible software errors, either of which may go unnoticed until they're critically painful.

I understand what you mean svidgen, this is exactly the kind of answer I was looking for. Thank you for your time!

Hi,

You can create htaccess file in the folder for which you do not want to grant the access and add this code in that file:

order deny, allow
deny from all
allow from 12.13.14.15

This will give access to the only IP address 12.13.14.15.