Depending on possible other options set at a higher level you may need to put the following in your .htaccess file in your includes directory:

Satisfy all
Order deny,allow
Deny from all

I ran into this when the upper directory defined basic authentication including the line:

Satisfy any

This was preventing my deny from all to take effect because the users were authenticated.

I would just move the includes folder out of the web-root, but if you want to block direct access to the whole includes folder, you can put a .htaccess file in that folder that contains just:

deny from all

That way you cannot open any file from that folder, but you can include them in php without any problems.

It's possible to use a Files directive and disallow access to all files, then use it again to set the files that are accessible:

<Files ~ "^.*">
  Deny from all
</Files>

<Files ~ "^index\.php|css|js|.*\.png|.*\.jpg|.*\.gif">
  Allow from all
</Files>

If I understand correctly you just want to deny access to the includes folder?

An .htaccess with a 'DENY FROM ALL' directive placed in the includes folder would do the trick.

Your Q comes in two parts, both jeroen and anubhava's solutions work for part I -- denying access to /includes. anubhava's also works for part II. I prefer the latter because I use a DOCROOT/.htaccess anyway and this keeps all such control in one file.

However what I wanted t discuss is the concept of "denying access to submit.php". If you don't want to use submit.php then why have it in DOCROOT at all? I suspect that the answer here is that you use it as a action target in some forms and only want it to be fired when the form is submitted and not directly , e.g. from a spambot.

If this is true then you can't use anubhava's part II as this will cause your form to fail. What you can do here is (i) with the .htaccess check to ensure that the referrer was your own index page:

RewriteCond %{HTTP_REFERRER} !=HTTP://www.domain.com/index.php   [NC]
RewriteRule ^submit\.php$    -                                   [F]

And (ii) within your PHP index.php form generator include some hidden fields for a timestamp and validation. The validation could be, say, the first 10 chars of an MD5 of the timestamp and some internal secret. On processing the submit you can then (i) validate that the timestamp and validation match, and (ii) the timestamp is within, say, 15 minutes of the current time.

This you can prevent spamming as the only practical way that a spammer could get a valid timestamp / validation pair would be to parse a form, but this scrape would only have a 15 minute life.

1 liner mod_alias based solution :

RedirectMatch 403 ^/folder/file.php$

This will show forbidden error for /folder/file.php