Restricting to localhost Access Only
To restrict access globally, all you have to do is to restrict access in httpd.conf in Apache’s conf directory.
First, locate the Directory settings for your htdocs directory (under Windows it’s e.g. C:/Apache2/htdocs, C:/Program Files/xampp/htdocs, etc., under Linux it’s e.g. /usr/htdocs, /usr/local/htdocs, /usr/local/www/htdocs, /usr/share/htdocs, etc.).
Then, you have to edit the Order subsection as follows (comments left out for readability):
<Directory "htdocs_path"> Options Indexes FollowSymLinks Includes ExecCGI AllowOverride All</directory> Order deny,allow Deny from all Allow from localhost </Directory>
Note: Order of the Deny and Allow lines is important! – just guessing, but I think that Apache simply applies the rules one after another, and the output of last rule that applies to the IP is used.
It can be also sometimes useful to disallow overrides of settings; if needed, simply change AllowOverride All to AllowOverride None, to disallow override of settings using .htaccess files.
See Apache documentation for complete list of options; just like with Options, it’s recommended to list the settings explicitely in AllowOverride to know what exactly is allowed.
Restricting Access to Certain Files
Great example of how to do this is contained in the httpd.conf itself, but many people seem to somehow miss it there, so here it is:
# The following lines prevent .htaccess and .htpasswd files # from being viewed by Web clients. <FilesMatch "^\.ht"> Order allow,deny Deny from all </FilesMatch>
Of course, don’t forget to restart Apache after each edit of httpd.conf file, so it reloads the settings. Good luck!