Forum Moderators: phranque
I need to have a single .htaccess file apply to the whole site: www/ and all subdirectories. Is it considered best to place this file in root? (i.e., one directory above www/.) Or is it better in www/?
Are there any differences regarding security? (Possibly more secure to have .htaccess only in root?)
In order to prevent it from being accessed from the Web, you can place code in it, such as
<FilesMatch "^\.ht">
Deny from all
</FilesMatch>
It may not be possible on your server to use a single .htaccess file. This depends on your server configuration. If you wish to use mod_rewrite on your site, then you may have to place additional .htaccess files in all subdirectories containing:
RewriteEngine on
RewriteOptions inherit
Jim
On another site, I have placed .htaccess in root, not accessible from the Web (I assume), yet it does take effect. So this must be possible, at least in some configurations.
In fact, if you check the Apache .htaccess documentation [httpd.apache.org], about halfway down (search for /.htaccess), it's stated that Apache must search in root. (But then they add without further explanation that .htaccess files are not usually enabled for root.)
So I'm thinking that if, as on my other site, the server is configured to check .htaccess in root, I'll place the file there, as it will not need to secure itself. Does that sound sensible?
Best practice is to have the .htaccess-protection code at least once in the .htaccess directory-path. That way if you later need to add an .htaccess at a lower level in order customize something or limit processing to a particular directory-path, you can do so without worrying about protecting it. Note that <Files> apply to the named file regardless of directory, so one protection-block covers all .htaccess and .htpasswd files in or below the directory where the code is.
As to what is best for you, I'd say test it and find out. In many cases, it comes down to personal preferences.
Jim
