To prevent the file being downloaded, generally the way to go is to store it in a directory that is not served by the web server. I don't know what setup you're in, but assuming an Apache setup, if for example your .php
files are served from a directory /home/user/htdocs
, you could create a directory /home/user/config
, ensure that it is readable by the webserver, and store the .json
files there.
Another approach, again assuming Apache, would be to create an .htaccess
file containing the following (inspired by this answer):
RedirectMatch 404 \.json$
This would not only prevent downloading any and all .json
files in the directory, but hide their very existence.
It might just be possible to do it the way you suggested, by storing the file with a .json.php
extension, although this would not be a recommended approach. For this to work, the file has to be valid PHP but it must obviously be valid JSON as well and we are hampered somewhat by the fact that JSON does not allow comments. Something like the following would stop the PHP interpreter soon after the start of the file, before spilling your secrets:
{
"<?php exit('Access denied'); ?>": null,
"password": "secret"
}