Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I prevent someone from reading my .htaccess file?

Tags:

html

.htaccess

I added a .htaccess file to a folder to make it password protected. I would like to prevent all users from being able to read that .htaccess file, because it reveals the location of my .htpasswd (I don't have permissions on this server to put this file outside of the html tree).

I tried the suggestions at http://www.javascriptkit.com/howto/htaccess8.shtml, but I can still read my .htaccess on a web browser. Here is my .htaccess:

AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /home/www/users/mylogin/HTML/some_hidden_dir/.htpasswd 
AuthGroupFile /dev/null 
require valid-user

<Files .htaccess>
order allow,deny
deny from all
</Files>

What am I missing?

like image 938
tiho Avatar asked Sep 29 '11 01:09

tiho


1 Answers

I've always used this method in my main root HTACCESS file and it works like a charm:

<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>

More info on this method from one of my bookmarks:

http://perishablepress.com/press/2008/05/20/improve-site-security-by-protecting-htaccess-files/

like image 168
Andres Ilich Avatar answered Oct 25 '22 09:10

Andres Ilich