• Using .htaccess to restrict access to Files and Directories



    Apache allows access to everything inside the Document Root folder by default. This means all the sub directories and their contents can be listed and accessed. However you can use .htaccess to harden the security of your Apache Server. The .htaccess is a configuration file, which if detected will be executed by Apache.
    If you already have a .htaccess file in your Document Root Folder, back it up before making any changes. Edit or create a new .htaccess file.
    Three most important security settings you should consider adding to your .htaccess file are:

    1. Deny Access to .htaccess Itself

    Add the following lines in your .htaccess file to prevent access to .htaccess file itself.
    # Deny access to .htaccess
    <Files .htaccess>
    Order allow,deny
    Deny from all
    </Files>
    
    

    2. Disable Directory Indexing

    The following line in .htaccess will remove directory indexing and make the server respond with a 403 forbidden message.
    # Disable directory browsing 
    Options -Indexes
    
    
    To simply hide all the contents of the directory without forbidden message, use the IndexIgnore directive.
    # Hide the contents of directories
    IndexIgnore *
    
    
    To hide some filetypes only, use
    # Hide files of type .png, .zip, .jpg, .gif and .doc from listing
    IndexIgnore *.png *.zip *.jpg *.gif *.doc
    
    

    3. Prevent access to certain files

    Even if you remove directories and files from listing, they are still accessible if you type the path.
    To remove unauthorized access to cetain file extensions, use
    # Deny access to files with extensions .ini, .psd, .log, .sh
    <FilesMatch "\.(ini|psd|log|sh)$">
    Order allow,deny
    Deny from all
    
    </FilesMatch>
    
    To prevent access to all filenames starting with dot(.) like .htaccess, .htpasswd, .env and others use
    # Deny access to filenames starting with dot(.)
    <FilesMatch "^\.">
    Order allow,deny
    Deny from all
    </FilesMatch>
    
    
    You may also password protect files and directories and store the passwords in a .htpasswd file
    # Password protect files
    <FilesMatch "^(execute|index|myfile|anotherfile)*$">
    AuthType Basic
    AuthName "Mypassword"
    AuthUserFile <Full Server Path to .htpasswd file>/.htpasswd
    Require valid-user
    </FilesMatch>
    
    
    Replace the <Full Server Path to .htpasswd file> with your actual path.
    You may also place .htaccess file inside each sub-directory with specific over-rides. The access rules can be directly defined inside Apache's main configuration file httpd.conf. But if you don't have access to the main configuration file (which is normally the case if your using a shared hosting service), you have to resort to .htaccess based access rules.
    Note: Over-riding httpd.conf settings using .htaccess is only allowed if the AllowOverride Directive is set inside httpd.conf which is the default case.
  • 1 comment:

    1. Nice articel, This article help me very well. Thank you. Also please check my article on my site Know All About Htaccess Tutorial.
      In link article we will learn about How to use .htaccess? The Htaccess document is placed in a directory on the web server. When done, it will be deployed from the Apache web server when a request is made from that directory.

      ReplyDelete

    FAVOURITE LINE

    To steal ideas from one is plagiarism. To steal from many is Research.

    ADDRESS

    Mumbai , Maharashtra

    EMAIL

    shikha.pathak6@gmail.com
    shikha.the.swt.pari@gmail.com

    Skype

    shikha_pari