Author Topic: Basic .htaccess Security Tips  (Read 655 times)


  • Administrator
  • Green Belt
  • ***
  • Posts: 225
  • Karma: +0/-0
Basic .htaccess Security Tips
« on: April 12, 2015, 01:00:52 PM »

If you web host runs Apache HTTP server to host your website, it might also allow users like you to utilize .htaccess files. If you are not sure if your host does allow them, you should check the host’s documentation or contact support. If you know you can use .htaccess, you can use it for increased security, but you also need to make sure you keep your .htaccess files secure.

According to, you should chmod your .htaccess files to 644 (user: read,write – group: read-only – world: read-only) and chmod .htpasswd files to 640 (user: read,write – group: read-only – world: access denied).

Securing your website’s files with .htaccess has some benefits. You can do it on a per-file basis or secure entire file types. For example, if you wanted to secure a PHP configuration file, you would use:

<files config.php>

order allow, deny

deny from all


This would give a “403 Forbidden” error to anyone who tries to access it.

To deny users access to all files of a certain type, use this format:

<Files *.pyc>

deny from all


This will deny access to any python configuration files you might have in a particular web application.

Another example of .htaccess based security would be preventing directory browsing. When a visitor to your site enters a directory that does not have an “index.html” type file, they will not see the contents of that directory. Enter:

Options All -Indexes

While .htaccess does have some benefits for security, it is also important to know its limitations. It is only useful when running Apache configured with the “AllowOverride” directive. You cannot assume that every web host will have it configured correctly, and this is also a concern if you move from one host to another. Nevertheless, if you know it is working, it is a handy tool to use.