将文件夹上的设置权限444阻止来自Web的访问

TL:DR Will permission 444 on a folder restrict access for a web user and browser?

I have a webserver with a root catalog that is accessible from the web. I can't access any folders higher up in the hiearchy, I only have control of the root folder and down.

Lets say I have the following folder structure:

• includes
• includes\database.php
• admin
• admin\index.php

I want the includes folder to follow these rules:

• Accessible from within the server, so "admin/index.php" can include "includes/database.php"
• Accessible via FTP, so I can access and edit the folder and files.
• NOT Accessible by a user from the web.

Can I solve this by setting "includes" and all subfolders/files with permission 444? If so, is there a known way to bypass this access-rule or is it safe to use?

If you want to keep assets safe from web access you need to move them outside of your web root. Typically one level below your web root is used. This way they are still accessible via FTP and your code but not to web requests.