Disable access to .htaccess

Question

Dani 1,760

15 Years Ago

What can I do to disable public downloading of my .htaccess file? I am on a Linux box. I can't chmod the file because the web browser still needs access to it, obviously. I know that there is a line I can add to it so that it gives the user a 403 Permission Denied error upon directly accessing it, but I don't remember what it is. Anyone know?

apache

6 Contributors
11 Replies
551 Views
6 Years Discussion Span
Latest Post 9 Years Ago by nileshgr

treydawg · Answer 1 · 2003-07-12T10:40:14+00:00

To prevent viewing of htaccess files use:

<Files .htaccess>
order allow,deny
deny from all
</Files>

and to prevent directory listing try:

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

Trey B.
Web Hosting Support :D

Dani 1,760 · Answer 2 · 2003-07-12T10:45:04+00:00

Hey there! Thanks! Helpful as always. :D

Dani 1,760 · Answer 3 · 2003-07-13T01:11:19+00:00

I came across a cleaner way.

RewriteRule ^\.htaccess$ - &#91;F&#93;

The [F] means to make the file forbidden.

Dani 1,760 · Answer 4 · 2003-07-13T02:30:30+00:00

Oops! Just remembered the rewrite rule (using mod_rewrite) won't work unless the rewrite engine is turned on. So the code in .htaccess has to look something like this

RewriteEngine on
RewriteRule ^\.htaccess$ - &#91;F&#93;

treydawg · Answer 5 · 2003-07-13T17:28:34+00:00

Unfortunately, all rewrite directives can be in the .htaccess except one.

RewriteEngine On must be in the httpd.conf of the server and not in the htaccess. Plus if you use rewrite there will be a performance penalty compared to just denying the file.

Just FYI, hope that helps.

Trey

Dani 1,760 · Answer 6 · 2003-07-13T19:26:18+00:00

Hey, thanks. I thought of that one because I've been dealing with .htaccess and mod_rewrite, where it is required to put RewriteEngine on into .htaccess. Check out my post about mod_rewrite and google located here: [thread]653[/thread]
:) Dani

Dani 1,760 · Answer 7 · 2003-07-13T19:26:56+00:00

BTW Yes, I've heard that mod_rewrite has a big performance hit to the cpu :(

wfwh · Answer 8 · 2005-01-05T03:17:51+00:00

Can you not chmod the file to 700? i think that still allows the file to be read :-/

YUPAPA · Answer 9 · 2005-01-10T09:54:46+00:00

Can you not chmod the file to 700? i think that still allows the file to be read :-/

Depending on the ownership of the .htaccess file, if you change permission to 0700 when the ownership of the file is owned by apache (or http, nobody, depending the user running apache), it may work ~

Otherwise, it gives you a forbidden error. :sad:

tommytomato · Answer 10 · 2009-11-27T07:20:04+00:00

Will this work for a spider search engine, I have a plugin that spiders web sites, but I cant seem to spider my own web site server which sits next to me.

here's the error message I get ( Timed out (no reply from server )

So if I disable the .htaccess file for a tick then spider my site then turn .htaccess back on, will this work.

By the way how do you turn .htaccess back on

TT

nileshgr · Answer 11 · 2009-11-27T19:22:27+00:00

This is a better one I think. It prevents .ht* from public access-

<FilesMatch "^\.ht">
Order deny,allow
Deny from All
Satisfy All
</FilesMatch>