So I tried following .htaccess which worked... but it's screwing access via browser as well! Here is the .htaccess directive:
<Files *.js> Deny from all </Files>
I placed this .htaccess in the sitemodule directory.. it seems to be blocking individual browser access to the file but it's messing up cache headers.. (gives forbidden value) etc. Can anyone please help?
What's the correct method to not let people launch .js script files individually, but as well as allow rendering of pages, browser cache header values etc. for the same file?
Can't be done. At best, you can deny access to requests with no referer--but then you'll have to poke holes for search engines and other authorized robots. And you'll still be blocking humans who have told their browsers not to send a referer with requests for supporting files. (Query: Why would a human do this? Answer: No idea, but some do. Plays havoc with my log wrangling: Oh, I see, this person isn't requesting 50 images one by one; they're actually on the page.)
Denying access with a blanket "Deny from" directive is only for files like .htblahblah that are never, ever to be http-requested for any reason.
You can alter the .js file permissions, but again you may be blocking bots that expect to parse the .js to determine whether your pages function as expected. Things like responsive menus .js need to be readable to "see" the finished results.
Hi so I noticed some firewall logs and found users accessing urls like:
Just curious... how were you differentiating direct requests from the user and secondary requests that resulted from a user requesting your page? (I guess maybe you weren't by the sounds of it?)
...handling canonical versions?
Ensuring that there is just 1 URL for every unique resource. Commonly, this refers to the www subdomain vs apex domain (as well as HTTP vs HTTPS). For example, if your site is accessible by both www.example.com and example.com, making sure you redirect the user to www.example.com (if the www subdomain is your canonical domain).
Extensions? You mean query strings? You can absolutely block requests with a query string when the real URL doesn’t use one. (I do this for .html, though I haven't needed to do it for other static extensions.) Simplest is to redirect to the query-less version.
But you say "within the url"? Do you mind giving an example (to at least satisfy our curiosity)? :)