Problem solve Get help with specific problems with your technologies, process and projects.

Banish .htaccess from your Apache server

Here's how to disable .htaccess if you don't have a need for it.

The Apache Web server provides administrators with an extremely flexible access control system that allows the delegation of access control to those responsible for maintaining individual directories. This is ideal for Web servers run by Internet Service Providers, educational institutions and others with a need to support Web pages maintained by large numbers of users.

This access control system uses files known as .htaccess files stored in each directory of the Web server. These files contain explicit access control entries that either grant or deny access to users or groups of users based upon their IP address, authentication status or other criteria.

While it's true that .htaccess files provide a powerful option for the delegation of security control, it's essential that administrators who don't require that level of delegation disable this functionality. Putting security control of various directories in the hands of numerous people (particularly those unskilled in the art of information security!) represents a tremendous risk to the entire system.

Fortunately, disabling .htaccess files on a global basis is extremely easy. Just use the following statement in your Apache server configuration file:

<Directory />
AllowOverride None

It's important to ensure that your server is configured properly and that this is the only AllowOverride statement. It is permissible to override this general directive and enable .htaccess files for particular directories that require their use. In fact, this is the preferred method of enabling .htaccess when circumstances warrant. Simply set the global AllowOverride setting to None, and then provide a list of exceptions to the general rule.

Think carefully before allowing users to implement .htaccess files on your server. Is it really necessary? Unless each user requesting such access can provide a specific justification, it's safe to err on the side of denying such requests.

About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the Guide to Databases.

This was last published in November 2003

Dig Deeper on Web Server Threats and Countermeasures

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.