Make a .htaccess file in your includes directory

deny from all

Can't be done for client-side scripts because the browser must be able to access them. The best you can do is obfuscate them.

Hmm, as already mentioned, htaccess will not prevent php from accessing htpassword secured folders. Consequently, Apache has to be invoked in order to use it's security features which are quite secure, at least with https IMHO, eg:

header('Location: secret/index.php');

Where the folder secret is secured with htaccess.

index.php might look like this:

<?php
$a = $_REQUEST['a'] ;
if ($a==secret)  
    header('Location: secret/index.php');    
include_once("index_head.php");
include_once("index_tail.php");
?>

And secret/index.php

<?php 
include_once("../index_head.php");
include_once("./secret.php");
include_once("../index_tail.php");
?>

The main remaining problem is now, that secret/index.php will not find any links like ./main.css etc. Therefore links have to be defined absolute not relative, but I am sure that you guys now how to do that;-)

A running example is on http://promotio.ch/secret.php/

I think explaining how the pieces work together will help clear up the confusion.

A request comes in (from the user's web browser). Your web server (in this example, Apache) receives this. First, it checks the <Location> permissions. Then it looks through the rest of the configuration, and eventually maps the request URI to the filesystem. Now, finally, it can check <Directory> permissions as well as .htaccess.

If any of those permission checks fails (e.g., deny from all), Apache stops processing the request, and sends back an error (or request for username & password in the case of HTTP Basic authentication).

Once all the permission checks pass, Apache looks at the file, and notices that its a .php file. Somewhere in your (or your web host's) Apache config, there is an AddHandler directive that tells Apache to pass this request on to the PHP engine (which could be mod_php, or via fast cgi). (For most files, it instead sends the contents of the file to the browser. But script files are special, because of that AddHandler.)

Now, PHP reads your script file. It then also reads your include files directly. This doesn't go back through Apache, so things like .htaccess do not apply. It also means that your PHP includes do not need to be in your document root. They can be anywhere that the PHP process can access (based on UNIX permissions and PHP configuration). Setting an include_dir in your php.ini makes it easy to put these wherever.

Client-side JavaScript is run by the user's browser. It isn't interpreted server-side (like PHP is). So the user must be able to access it, just like the user must be able to access your .html files.

So, in short:

• You can put an .htaccess with Deny from all in your PHP include directories. PHP's include directive does not go through Apache, so it won't care. Ideally, you don't even put your PHP include directories under your document root at all.
• You can not do this for JavaScript, as JavaScript access goes through Apache (just like .html, .png, etc. access).

Ideally, your PHP includes should be in a folder that is not directly accessible to the web.

eg: say your web site is in /var/www/htdocs/, then you would put index.php in there, but the includes should be in a separate folder, outside the web-accessible area. In this example, you could have a folder alongside htdocs called something like /var/www/includes/, where the PHP includes would live.

This way they are completely protected from unwanted direct web access.

In addition, you should write your PHP code such that an include file only contains classes or functions. This means that if it is accessed somehow from the web, nothing will happen: PHP will load all the functions, but won't run any of them, so the user will just see a blank page.

If another page wants to include that file, it would need to to the include, and then also call the function(s) inside it; you shouldn't have an include that runs code immediately.

You should only write PHP code that runs immediately on the pages that are intended for direct user access, such as index.php.

Hope that helps.

You do have the option of doing this without using .htaccess (not saying it's a better solution, just a different one).

In files you wish the user to access directly, put the following before any includes:

@define('IN_APPLICATION', true);
require 'file.class.php'; //sample include

Then in the includes (class files), put the following code right at the top:

if (!defined('IN_APPLICATION')){
    die(header('HTTP/1.0 404 Not Found')); //or just die();
}

This will ensure that the class files are only accessible when included by a file (front end) that defines IN_APPLICATION. You could alternatively just kill the class file with a die() by itself rather than faking a 404.