So my site is ready and it's going live in 2 days the last thing on the todo list is:
deny access to /inc/ /classes/ /sources/ so as i always do i investigated, and found that none of the big websites denying access to the private folders.
i'v trolled around the web and found no one mentioning this method for denying access by saying 'this directory doesn't exists'.
is it safe to show 404 error pages for directories? and if it is safe... how can i do it. and if not what is the best way to secure directories?
The best way not to allow access is by actually moving them outside the document root, so there's no direct path through the web to those files. Some hosters don't allow this, to which there are 2 solutions: (1) go to another hoster, plenty of proper ones, or (2) the hard way, indeed, give annoying crackers as little information as possible, and go for the standard 404, you can set it up in .htaccess files.