homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

protect ALL htaccess files from public view

 5:23 pm on Jan 15, 2004 (gmt 0)

# Ban access to files & file extensions
RewriteRule ^\.htaccess$ - [F]
RewriteRule ^\.htpasswd$ - [F]

My intentions are to ban access to all .ht(access/passwd) files, but this only works for the root directory. How would you modify this to include all subdirectory .ht(access/passwd) files as well?



Robert Thivierge

 6:17 pm on Jan 15, 2004 (gmt 0)

When I installed Apache the following was already in "httpd.conf" and works fine:
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ~ "^\.ht">
Order allow,deny
Deny from all

As for your ".htaccess" code:
RewriteRule ^\.htaccess$ - [F]
RewriteRule ^\.htpasswd$ - [F]

The "^" is forcing the comparison to start at the extreme left edge of the string. Maybe try dropping it.


 6:40 pm on Jan 15, 2004 (gmt 0)

ah yes. the infamous ^



 8:26 pm on Jan 15, 2004 (gmt 0)

Be aware that <Files> also means "only files". That is, the string inside <Files> is compared only to a filename, not to a file-path. Therefore, you use the start anchor in <Files> but not in RewriteRule. <Files> ignores directory-path info, while RewriteRule does not, since it works with URLs.

It's a subtle, but important difference.



 9:14 pm on Jan 15, 2004 (gmt 0)

Yes & thanks for the advice!

I decided to go the mod_rewrite method because I have other rules that rewrite [domain.com...] >> [domain.com...]

That in conjunction with errordocument was resulting in rewriting the path to my errordocument to the address bar. Since I'm using error.php?404 or error.php?403 etc I thought it best just to force 403 so that the inner-workings of my errordocuments stays hidden in the event that someone asks for [domain.com...]


Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved