As a developer, there are certain files you do not want to expose via HTTP access protocols, particularly configuration files or a custom serverless database type using XML or JSON files. To prevent access, you can simply block access to those files or even a sub-directory.
Is very simple, but this depends on what webserver type your website is hosted in. Surprisingly most website as of 2025 are hosted under Nginx.
Based on data from w3techs.com, these are the most possible environments which your website might be hosted. As of March 2025, here are some statistics about the usage of Apache, Nginx, and IIS:
- Nginx: Used by approximately 33.8% of all websites whose web server is known.
- Apache: Accounts for about 26.6% of websites.
- Microsoft-IIS: Has a smaller share, being used by 4.1% of websites.
These numbers highlight the popularity of Nginx and Apache as leading web servers, with IIS trailing behind.
With that in mind I will give you solutions for Nginx, Apache, and IIS for the few of you that might be hosted under that environment.
Nginx
To prevent access to specific file types in Nginx, you can use the location directive in your Nginx configuration file. Here’s an example:
server {
listen 80;
server_name yourdomain.com;
location ~ \.(txt|xml|json)$ {
deny all;
return 404;
}
location / {
# Your other configurations
try_files $uri $uri/ =404;
}
}
This configuration blocks access to .txt, .xml, and .json files by denying all requests and returning a 404 error. You can modify the file extensions in the location ~ directive to suit your needs.
To block access to specific file types within a particular directory in Nginx, you can refine the configuration using a location directive specific to that directory. Here’s an example:
server {
listen 80;
server_name yourdomain.com;
location /restricted-directory/ {
location ~ \.(txt|xml|json)$ {
deny all;
return 404;
}
}
location / {
# Your other configurations
try_files $uri $uri/ =404;
}
}In this configuration:
/restricted-directory/is the directory you want to restrict.location ~ \.(txt|xml|json)$specifies the file types to block within that directory.
After updating your Nginx configuration file, make sure to reload Nginx to apply the changes:
sudo nginx -s reloadIf you are like me, you appreciate the performance of Nginx but continue to use Apache due to its ease of use in that environment, keep reading.
Apache
Configuring Apache is simpler, which is why many us still to use it.
Via .htaccess
To block access to specific file types in a particular directory with Apache, you can use an .htaccess file or modify the Apache configuration file. Here’s an example using .htaccess:
<FilesMatch "\.(txt|xml|json)$">
Require all denied
</FilesMatch>This configuration denies access to files with .txt, .xml, and .json extensions in the specified directory.
This is assuming that your webserver allows you to configure via .htaccess files. If it doesn’t then you need to take the following steps to be able to.
Step 1. Ensure that the AllowOverride directive in your Apache configuration permits .htaccess files. For example:
<Directory "/path/to/your/directory">
AllowOverride All
</Directory>Step 2. Restart Apache to apply the changes:
sudo systemctl restart apache2Directly on the http-conf file
If you’d rather configure this directly in the Apache configuration file, you can use the <Directory> directive:
<Directory "/path/to/your/directory">
<FilesMatch "\.(txt|xml|json)$">
Require all denied
</FilesMatch>
</Directory>To accomplish this just follow these steps:
Step 1: Locate the Apache Configuration File:
- Typically, the main configuration file is named
httpd.conforapache2.conf, depending on your system. - For virtual hosts, you may also need to edit site-specific files, often located in
/etc/apache2/sites-available/.
Step 2: Use the <Directory> Directive:
- The
<Directory>directive allows you to specify rules for a particular directory. - The use the above implementation.
- Replace
/path/to/your/directorywith the actual path to the directory. - The
FilesMatchdirective uses a regular expression to match specific file types (in this case,.txt,.xml, and.json).
Step 3: After making these changes remember to restart the Apache server as mentioned in the previous section.
IIS
As incredible as might sound, this is also very simple to accomplish in Microsoft Internet Information Systems (IIS). In this case, IIS uses the XML language to accomplish similar implementations as Apache, but instead of .htaccess files you will use web.config files.
To block access to specific file types in IIS using a web.config file, you can use the requestFiltering feature. Here’s an example configuration:
Step 1: Create or Edit the web.config File:
- Place the
web.configfile in the directory where you want to block access to specific file types.
Step 2: Add the Following Configuration:
<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions>
<add fileExtension=".txt" allowed="false" />
<add fileExtension=".xml" allowed="false" />
<add fileExtension=".json" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>- This configuration blocks
.txt,.xml, and.jsonfiles from being served by IIS.
Step 3: Restart IIS, this might be necessary if you still have access to the files directly.
iisresetConclusion
Securing specific files is straightforward and requires minimal effort, provided you have access to your site configuration files. However, if you do not have access, as is the case with many hosting companies, you will need to contact your hosting provider and request these changes to be implemented, particularly for Nginx web servers.
Unlike Apache’s .htaccess and IIS’s web.config, Nginx does not have an equivalent file for per-directory configurations. Instead, all configurations are managed centrally in the main Nginx configuration file or its included files (e.g., /etc/nginx/nginx.conf or /etc/nginx/sites-available/).
This centralized design is intentional, as it enhances performance by avoiding the need to repeatedly check for configuration files in each directory. To achieve functionality similar to .htaccess or web.config, you can configure specific settings using location blocks in the Nginx configuration file.
Well, I hope this help some of you out there… Happy Coding, Happy Designing.
This is Designer’s Gate login out. Be blessed by Yah!