Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

protect ALL htaccess files from public view



5:23 pm on Jan 15, 2004 (gmt 0)

10+ Year Member

# Ban access to files & file extensions
RewriteRule ^\.htaccess$ - [F]
RewriteRule ^\.htpasswd$ - [F]

My intentions are to ban access to all .ht(access/passwd) files, but this only works for the root directory. How would you modify this to include all subdirectory .ht(access/passwd) files as well?


Robert Thivierge

6:17 pm on Jan 15, 2004 (gmt 0)

10+ Year Member

When I installed Apache the following was already in "httpd.conf" and works fine:
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ~ "^\.ht">
Order allow,deny
Deny from all

As for your ".htaccess" code:

RewriteRule ^\.htaccess$ - [F]
RewriteRule ^\.htpasswd$ - [F]

The "^" is forcing the comparison to start at the extreme left edge of the string. Maybe try dropping it.


6:40 pm on Jan 15, 2004 (gmt 0)

10+ Year Member

ah yes. the infamous ^



8:26 pm on Jan 15, 2004 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Be aware that <Files> also means "only files". That is, the string inside <Files> is compared only to a filename, not to a file-path. Therefore, you use the start anchor in <Files> but not in RewriteRule. <Files> ignores directory-path info, while RewriteRule does not, since it works with URLs.

It's a subtle, but important difference.



9:14 pm on Jan 15, 2004 (gmt 0)

10+ Year Member

Yes & thanks for the advice!

I decided to go the mod_rewrite method because I have other rules that rewrite [domain.com...] >> [domain.com...]

That in conjunction with errordocument was resulting in rewriting the path to my errordocument to the address bar. Since I'm using error.php?404 or error.php?403 etc I thought it best just to force 403 so that the inner-workings of my errordocuments stays hidden in the event that someone asks for [domain.com...]



Featured Threads

Hot Threads This Week

Hot Threads This Month