So I tried following .htaccess which worked... but it's screwing access via browser as well! Here is the .htaccess directive:

<Files *.js>
Deny from all
</Files>

I placed this .htaccess in the sitemodule directory.. it seems to be blocking individual browser access to the file but it's messing up cache headers.. (gives forbidden value) etc. Can anyone please help?

What's the correct method to not let people launch .js script files individually, but as well as allow rendering of pages, browser cache header values etc. for the same file?

Thanks!

Can't be done. At best, you can deny access to requests with no referer--but then you'll have to poke holes for search engines and other authorized robots. And you'll still be blocking humans who have told their browsers not to send a referer with requests for supporting files. (Query: Why would a human do this? Answer: No idea, but some do. Plays havoc with my log wrangling: Oh, I see, this person isn't requesting 50 images one by one; they're actually on the page.)

Denying access with a blanket "Deny from" directive is only for files like .htblahblah that are never, ever to be http-requested for any reason.

You can alter the .js file permissions, but again you may be blocking bots that expect to parse the .js to determine whether your pages function as expected. Things like responsive menus .js need to be readable to "see" the finished results.

Oh boy yep u guys are right I deleted the htaccess file.. thanks

I deleted the htaccess file

I hope that means that you removed the lines denying access to .js

If not, I hope you have another way to handle canonical versions.

not2easy apologies.. I'm no SEO expert, could you let me know what do you mean by handling canonical versions? Thanks!

Hi so I noticed some firewall logs and found users accessing urls like:

Just curious... how were you differentiating direct requests from the user and secondary requests that resulted from a user requesting your page? (I guess maybe you weren't by the sounds of it?)

...handling canonical versions?

Ensuring that there is just 1 URL for every unique resource. Commonly, this refers to the www subdomain vs apex domain (as well as HTTP vs HTTPS). For example, if your site is accessible by both www.example.com and example.com, making sure you redirect the user to www.example.com (if the www subdomain is your canonical domain).

whitespace no actually I just saw the logs on cloudflare which specifically listed the url with javascript files with crazy extensions within the url to probe for weaknesses I guess?

Yeah I've already setup the redirect for the www domain from example.com. Long time ago.

....with crazy extensions within the url to probe for weaknesses I guess?

Ahh, maybe that is something you CAN block!? (Unless this is something that is already handled by Cloudflare?)

with crazy extensions

Extensions? You mean query strings? You can absolutely block requests with a query string when the real URL doesn’t use one. (I do this for .html, though I haven't needed to do it for other static extensions.) Simplest is to redirect to the query-less version.

Not query strings just weird ASCII characters..

If it's "just weird ASCII characters" and "not query strings" then you would expect this to result in a 404 (or is already blocked by the server)? Unless... these "weird ASCII characters" are prefixed with a slash and appears after the filename then your server is perhaps seeing this as additional path information (PATH_INFO) - but path info would normally be blocked on JavaScript (application/javascript) files by default and so should already result in a 404 as well?

But you say "within the url"? Do you mind giving an example (to at least satisfy our curiosity)? :)