diff --git a/.htaccess b/.htaccess
index afeb18f..399fc0d 100644
--- a/.htaccess
+++ b/.htaccess
@@ -15,6 +15,41 @@
   RewriteRule ^edit-recipe/([0-9]+)$ ?site=edit-recipe&number=$1
 
   #Loginseite
-  RewriteRule ^login/url=(.+)$ ?site=login&refurl=$1 [L]
+  RewriteRule ^login/url=(.+)$ ?site=login&refurl=$1
 
+  #API Calls
+  RewriteRule ^api/([\w-]+)/([\w-]+)$ php/api.php?site=api&call=$1&function=$2 [L]
 </IfModule>
+
+#Deny every *.php file
+<Files *.php>
+    Order Deny,Allow
+    Deny from all
+    Allow from 127.0.0.1
+</Files>
+
+#allow following files
+<Files index.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files api.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files login.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files logout.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
+
+<Files install*.php>
+    Order Allow,Deny
+    Allow from all
+</Files>
diff --git a/bin/adduser.js b/bin/adduser.js
index d2cb4c7..9fc6819 100644
--- a/bin/adduser.js
+++ b/bin/adduser.js
@@ -1,13 +1,12 @@
 $(document).ready(function(){
   $("#button_newuser").click(function(){
-    $.post("/php/edit-user.php",
+    $.post("/api/user/new",
       {
-        function: "new-user",
         username: $("#text_user").val(),
         passwd: $("#text_passwd").val()
       },
       function(data){
-        if(data==0){
+        if(data=="0"){
           infoPopUp("Benutzer erfolgreich erstellt!", 100);
           $("#text_user").val("");
           $("#text_passwd").val("");
diff --git a/bin/autocomplete.js b/bin/autocomplete.js
index 2378e98..31daf95 100644
--- a/bin/autocomplete.js
+++ b/bin/autocomplete.js
@@ -71,10 +71,8 @@ var values = [];
 $(document).ready(function(){
   $.ajax({
     type: "POST",
-    url: "/php/edit-recipes.php",
-    data: {
-      function: "auto",
-    },
+    url: "/api/recipes/auto",
+    data: {},
     success: function(data){
       values = data.split("||");
     }
diff --git a/bin/edit-recipe.js b/bin/edit-recipe.js
index c232c80..dd171e0 100644
--- a/bin/edit-recipe.js
+++ b/bin/edit-recipe.js
@@ -1,16 +1,15 @@
 $(document).ready(function(){
   var recipeID = window.location.href.split("/")[(window.location.href.split("/").length-1)];
-  $("#FormSubmitfunction").prop("value", "update");
+  $("#newRecipeForm").prop("action", "/api/recipes/update");
   $.ajax({
     type: "POST",
-    url: "/php/edit-recipes.php",
+    url: "/api/recipes/edit",
     data: {
-      function: "edit",
       id: recipeID
     },
     success: function(data){
       var recipe = JSON.parse(data);
-      $("#FormSubmitfunction").after("<input type='hidden' name='id' value='"+recipe.ID+"'>");
+      $("#safeRecipe").before("<input type='hidden' name='id' value='"+recipe.ID+"'>");
       $("#RecipeFormName").val(recipe.Name);
       $("#recipeDurationInput").val(recipe.Dauer);
       $("#recipeDescription").val(recipe.Beschreibung);
diff --git a/bin/list.js b/bin/list.js
index f469531..c2f447f 100644
--- a/bin/list.js
+++ b/bin/list.js
@@ -3,9 +3,8 @@ $(document).ready(function(){
     var dataId = $(this).parent().data("id");
     $.ajax({
       type: "POST",
-      url: "php/edit-list.php",
+      url: "api/list/check",
       data: {
-        function: "check",
         id: dataId,
         status: $(this).prop("checked")
       },
@@ -18,10 +17,7 @@ $(document).ready(function(){
   $("#remove").click(function(){
     $.ajax({
       type: "POST",
-      url: "php/edit-list.php",
-      data: {
-        function: "del"
-      },
+      url: "api/list/del",
       success: function(){
         location.reload();
       }
diff --git a/bin/manageRecipe.js b/bin/manageRecipe.js
index fb8723a..d968106 100644
--- a/bin/manageRecipe.js
+++ b/bin/manageRecipe.js
@@ -14,9 +14,8 @@ $(document).ready(function(){
     if(!(confirm("Wirklich löschen?"))){return;}
     $.ajax({
       type: "POST",
-      url: "/php/edit-recipes.php",
+      url: "/api/recipes/del",
       data: {
-        function: "del",
         id: $("#recipeHeader").data("recipeid")
       },
       success: function(data){
diff --git a/bin/recipe.js b/bin/recipe.js
index 7fba722..d87a83f 100644
--- a/bin/recipe.js
+++ b/bin/recipe.js
@@ -14,9 +14,8 @@ $(document).ready(function(){
     if(!(confirm("Wirklich löschen?"))){return;}
     $.ajax({
       type: "POST",
-      url: "/php/edit-recipes.php",
+      url: "/api/recipes/del",
       data: {
-        function: "del",
         id: $("#recipeHeader").data("recipeid")
       },
       success: function(data){
@@ -45,10 +44,9 @@ $(document).ready(function(){
     });
     $.ajax({
       type: "POST",
-      url: "/php/edit-list.php",
+      url: "/api/list/multiple",
       data: {
-        list: list,
-        function: "multiple"
+        list: list
       },
       success: function(data){
         window.location = "/";
diff --git a/bin/settings.js b/bin/settings.js
index 51164bb..ecea9fd 100644
--- a/bin/settings.js
+++ b/bin/settings.js
@@ -31,9 +31,8 @@ $(document).ready(function(){
     }
   });
   $("#passwordSaveButton").click(function(){
-    $.post("/php/edit-user.php",
+    $.post("/api/user/change-pw",
       {
-        function: "change-pw",
         current: $("#old-password-input").val(),
         new: $("#new-password-input").val()
       },
@@ -52,13 +51,13 @@ $(document).ready(function(){
   });
 
   $("#export-recipe-button").click(function(){
-    $.post("/php/edit-recipes.php", {function:"export"}, function(data){
+    $.post("/api/recipes/export", {}, function(data){
       downloadObjectAsJson(JSON.parse(data), "recipes");
     });
   });
 
   $("#export-list-button").click(function(){
-    $.post("/php/edit-list.php", {function:"export"}, function(data){
+    $.post("/api/list/export", {}, function(data){
       downloadObjectAsJson(JSON.parse(data), "list");
     });
   });
@@ -70,9 +69,8 @@ $(document).ready(function(){
       reader.onload = function(){
         var content = JSON.parse(reader.result);
         if(content.sites!=null){
-          $.post("/php/edit-recipes.php",
+          $.post("/api/recipes/import",
             {
-              function: "import",
               content: reader.result
             },
             function(data){
@@ -87,9 +85,8 @@ $(document).ready(function(){
           );
         }
         else if(content.list!=null){
-          $.post("/php/edit-list.php",
+          $.post("/api/list/import",
             {
-              function: "import",
               content: reader.result
             },
             function(data){
diff --git a/config/.htaccess b/config/.htaccess
deleted file mode 100644
index 98e9e6d..0000000
--- a/config/.htaccess
+++ /dev/null
@@ -1,4 +0,0 @@
-# prevent access to these files while not logged in
-<files "*.php">
-  Require all denied
-</files>
diff --git a/cont/.htaccess b/cont/.htaccess
deleted file mode 100644
index 98e9e6d..0000000
--- a/cont/.htaccess
+++ /dev/null
@@ -1,4 +0,0 @@
-# prevent access to these files while not logged in
-<files "*.php">
-  Require all denied
-</files>
diff --git a/cont/list.php b/cont/list.php
index 7810c60..15a2b90 100644
--- a/cont/list.php
+++ b/cont/list.php
@@ -2,7 +2,7 @@
 <link rel="stylesheet" href="/style/list.css">
 <h1>Liste</h1>
 <button type="button" id="remove" class="button">Auswahl entfernen</button>
-<form id="neu" action="php/edit-list.php" method="post">
+<form id="neu" action="api/list/new" method="post">
   <input type="hidden" name="function" value="new">
 <div id="list">
   <?php
diff --git a/cont/manageRecipe.php b/cont/manageRecipe.php
index 8b12a26..9633f52 100644
--- a/cont/manageRecipe.php
+++ b/cont/manageRecipe.php
@@ -8,8 +8,7 @@
 else{
   echo "<h1 id=\"header\">Neu</h1>";
 } ?>
-<form id="newRecipeForm" autocomplete="off" action="/php/edit-recipes.php" method="post">
-  <input id="FormSubmitfunction" type="hidden" name="function" value="new">
+<form id="newRecipeForm" autocomplete="off" action="/api/recipes/new" method="post">
   <div><input id="safeRecipe" type="submit" name="" value="Speichern" class="button"> </div>
   <div><font>Name:</font><br /><input id="RecipeFormName" type="text" name="recipeName" placeholder="Name" required="required"></div>
   <div><font>Dauer (Minuten):</font><br /><input type="number" name="recipeDuration" id="recipeDurationInput" value="30"></div>
diff --git a/install/install_action.php b/install/install_action.php
index a6cd929..6596719 100644
--- a/install/install_action.php
+++ b/install/install_action.php
@@ -209,5 +209,5 @@ foreach($SQLStatements as $statement){
   $result = $connection->query($statement);
 }
 $connection->close();
-header ("Location: adduser.php");
+header ("Location: install_adduser.php");
 ?>
diff --git a/install/adduser.php b/install/install_adduser.php
similarity index 95%
rename from install/adduser.php
rename to install/install_adduser.php
index 06fa697..9ca584c 100644
--- a/install/adduser.php
+++ b/install/install_adduser.php
@@ -13,6 +13,4 @@
   <input id="button_newuser" class="button" type="submit" name="" value="Neuer Benutzer">
 </div>
 <button class="button button-disabled" id="adduser-button-done">Fertig</button>
-
-<!-- Only here in install/adduser -->
 <div id="info-popup"><font id="info-popup-text"></font></div>
diff --git a/php/.htaccess b/php/.htaccess
deleted file mode 100644
index da07521..0000000
--- a/php/.htaccess
+++ /dev/null
@@ -1,16 +0,0 @@
-# prevent access to these files while not logged in
-<files "classes.*.php">
-  Require all denied
-</files>
-
-<files "auth.php">
-  Require all denied
-</files>
-
-<files "connect.php">
-  Require all denied
-</files>
-
-<files "hash.php">
-  Require all denied
-</files>
diff --git a/php/api.php b/php/api.php
new file mode 100644
index 0000000..5422efd
--- /dev/null
+++ b/php/api.php
@@ -0,0 +1,20 @@
+<?php
+  session_start();
+  switch($_GET["call"]) {
+    case 'list':
+      include $_SESSION["docroot"].'/php/edit-list.php';
+      break;
+
+    case 'recipes':
+      include $_SESSION["docroot"].'/php/edit-recipes.php';
+      break;
+
+    case 'user':
+      include $_SESSION["docroot"].'/php/edit-user.php';
+      break;
+
+    default:
+      echo "API call not defined";
+      break;
+  }
+?>
diff --git a/php/edit-list.php b/php/edit-list.php
index 82326c9..6fab0cf 100644
--- a/php/edit-list.php
+++ b/php/edit-list.php
@@ -1,9 +1,8 @@
 <?php
-  session_start();
   include $_SESSION["docroot"].'/php/classes.list.php';
   $shopping = new shopping;
 
-  switch ($_POST["function"]) {
+  switch ($_GET["function"]) {
     case 'new':
       $shopping->newItem($_POST["anzahl"], $_POST["einheit"], $_POST["name"]);
       header("Location: /list");
diff --git a/php/edit-recipes.php b/php/edit-recipes.php
index aa068c6..54be070 100644
--- a/php/edit-recipes.php
+++ b/php/edit-recipes.php
@@ -1,9 +1,8 @@
 <?php
-  session_start();
   include $_SESSION["docroot"].'/php/classes.recipe.php';
   $book = new cookbook;
 
-  switch ($_POST["function"]) {
+  switch ($_GET["function"]) {
     case 'del':
       $book->removeRecipe($_POST["id"]);
       break;
diff --git a/php/edit-user.php b/php/edit-user.php
index 4729fee..bc0dbcb 100644
--- a/php/edit-user.php
+++ b/php/edit-user.php
@@ -1,17 +1,16 @@
 <?php
-  session_start();
   include $_SESSION["docroot"].'/php/classes.user.php';
   $user = new user;
-  if($_POST["function"]!="new-user"){
+  if($_GET["function"]!="new"){
     $user->get_info($_COOKIE["token"]);
   }
-
-  switch ($_POST["function"]) {
+  
+  switch ($_GET["function"]) {
     case 'change-pw':
       $user->change_password($_POST["current"], $_POST["new"]);
       break;
 
-    case 'new-user':
+    case 'new':
       $user->new($_POST["username"], $_POST["passwd"]);
       break;