I am using mod_rewrite for this. For images, etc. This standard includes:
RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^https?://myhostname\.com/.*$ [NC] RewriteRule \.(gif|jpe?g|png|js|css)$ - [F]
You can add "inc" to this list of extensions on the last rule.
But to prevent access to certain types of files, I prefer something like:
RewriteCond %{THE_REQUEST} ^\w+\ /include/ [OR] RewriteCond %{THE_REQUEST} \.php\ HTTP/ RewriteRule ^.*$ - [R=404,L]
This does two things:
- The first rule excludes access to the / include directory from external requests, but you can still include / require them; and
- The second rule restricts access to file names ending in .php. You can use the same thing for .inc files.
In both cases, Apache will give a 404 error (file not found), which I think is better. As a rule, it’s better to say that something doesn’t exist (that you don’t want people to see it), but didn’t talk about it, but you cannot access it. But this is just a personal opinion.
As for why I restricted .php files from direct access: I use mod_rewrite to create “good” URLs. Instead:
/account/order.php
this is:
/account/order
There are many reasons for this. Aesthetics is one. SEO is different (if instead of /account/order.php?item=123 you have / account / order / 123).