diff --git a/.gitignore b/.gitignore
index 2d8acf016..3250fb076 100644
--- a/.gitignore
+++ b/.gitignore
@@ -71,8 +71,8 @@ venv/
/addons
/addon
-#ignore .htaccess
-.htaccess
+#ignore base .htaccess
+/.htaccess
#ignore filesystem storage default path
/storage
diff --git a/.htaccess-dist b/.htaccess-dist
index a671cc680..3c9098251 100644
--- a/.htaccess-dist
+++ b/.htaccess-dist
@@ -1,3 +1,6 @@
+# This file is meant to be copied to ".htaccess" on Apache-powered web servers.
+# The created .htaccess file can be edited manually and will not be overwritten by Friendica updates.
+
Options -Indexes
AddType application/x-java-archive .jar
AddType audio/ogg .oga
diff --git a/bin/.htaccess b/bin/.htaccess
new file mode 100644
index 000000000..716a932e1
--- /dev/null
+++ b/bin/.htaccess
@@ -0,0 +1,10 @@
+# This file prevents browser access to Friendica command-line scripts on Apache-powered web servers.
+# It isn't meant to be edited manually, please check the base Friendica folder for the .htaccess-dist file instead.
+
+
+ Require all denied
+
+
+ Order Allow,Deny
+ Deny from all
+
diff --git a/bin/auth_ejabberd.php b/bin/auth_ejabberd.php
index fa71faf26..e92182916 100755
--- a/bin/auth_ejabberd.php
+++ b/bin/auth_ejabberd.php
@@ -51,6 +51,11 @@
*
*/
+if (php_sapi_name() !== 'cli') {
+ header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+ exit();
+}
+
use Dice\Dice;
use Friendica\App\Mode;
use Friendica\Util\ExAuth;
diff --git a/bin/console.php b/bin/console.php
index 27522d855..4d5b4c79c 100755
--- a/bin/console.php
+++ b/bin/console.php
@@ -20,6 +20,11 @@
*
*/
+if (php_sapi_name() !== 'cli') {
+ header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+ exit();
+}
+
use Dice\Dice;
use Psr\Log\LoggerInterface;
diff --git a/bin/daemon.php b/bin/daemon.php
index 596f4de56..3fe803d6f 100755
--- a/bin/daemon.php
+++ b/bin/daemon.php
@@ -23,6 +23,11 @@
* This script was taken from http://php.net/manual/en/function.pcntl-fork.php
*/
+if (php_sapi_name() !== 'cli') {
+ header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+ exit();
+}
+
use Dice\Dice;
use Friendica\Core\Logger;
use Friendica\Core\Worker;
diff --git a/bin/testargs.php b/bin/testargs.php
index b7d7125f7..9aed35303 100644
--- a/bin/testargs.php
+++ b/bin/testargs.php
@@ -26,6 +26,10 @@
*
*/
+if (php_sapi_name() !== 'cli') {
+ header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+ exit();
+}
if (($_SERVER["argc"] > 1) && isset($_SERVER["argv"][1])) {
echo $_SERVER["argv"][1];
diff --git a/bin/wait-for-connection b/bin/wait-for-connection
index b6c03a670..de860e984 100755
--- a/bin/wait-for-connection
+++ b/bin/wait-for-connection
@@ -24,6 +24,11 @@
* Usage: php bin/wait-for-connection {HOST} {PORT} [{TIMEOUT}]
*/
+if (php_sapi_name() !== 'cli') {
+ header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+ exit();
+}
+
$timeout = 60;
switch ($argc) {
case 4:
diff --git a/bin/worker.php b/bin/worker.php
index 1b70a2095..833e5b002 100755
--- a/bin/worker.php
+++ b/bin/worker.php
@@ -21,6 +21,11 @@
* Starts the background processing
*/
+if (php_sapi_name() !== 'cli') {
+ header($_SERVER["SERVER_PROTOCOL"] . ' 403 Forbidden');
+ exit();
+}
+
use Dice\Dice;
use Friendica\App;
use Friendica\Core\Update;
diff --git a/mods/sample-nginx.config b/mods/sample-nginx.config
index 71d378551..b90e1fe29 100644
--- a/mods/sample-nginx.config
+++ b/mods/sample-nginx.config
@@ -141,4 +141,9 @@ server {
location ~ /\. {
deny all;
}
+
+ # deny access to the CLI scripts
+ location ^~ /bin {
+ deny all;
+ }
}