Member Avatar

What can I do to disable public downloading of my .htaccess file? I am on a Linux box. I can't chmod the file because the web browser still needs access to it, obviously. I know that there is a line I can add to it so that it gives the user a 403 Permission Denied error upon directly accessing it, but I don't remember what it is. Anyone know?

Member Avatar

To prevent viewing of htaccess files use:

<Files .htaccess>
order allow,deny
deny from all
</Files>

and to prevent directory listing try:

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

Trey B.
Web Hosting Support :D

Member Avatar

Hey there! Thanks! Helpful as always. :D

Member Avatar

I came across a cleaner way.

RewriteRule ^\.htaccess$ - &#91;F&#93;

The [F] means to make the file forbidden.

Member Avatar

Oops! Just remembered the rewrite rule (using mod_rewrite) won't work unless the rewrite engine is turned on. So the code in .htaccess has to look something like this

RewriteEngine on
RewriteRule ^\.htaccess$ - &#91;F&#93;
Member Avatar

Unfortunately, all rewrite directives can be in the .htaccess except one.

RewriteEngine On must be in the httpd.conf of the server and not in the htaccess. Plus if you use rewrite there will be a performance penalty compared to just denying the file.

Just FYI, hope that helps.

Trey

Member Avatar

Hey, thanks. I thought of that one because I've been dealing with .htaccess and mod_rewrite, where it is required to put RewriteEngine on into .htaccess. Check out my post about mod_rewrite and google located here: [thread]653[/thread]
:) Dani

Member Avatar

BTW Yes, I've heard that mod_rewrite has a big performance hit to the cpu :(

Member Avatar

Can you not chmod the file to 700? i think that still allows the file to be read :-/

Member Avatar

Can you not chmod the file to 700? i think that still allows the file to be read :-/

Depending on the ownership of the .htaccess file, if you change permission to 0700 when the ownership of the file is owned by apache (or http, nobody, depending the user running apache), it may work ~

Otherwise, it gives you a forbidden error. :sad:

Member Avatar

Will this work for a spider search engine, I have a plugin that spiders web sites, but I cant seem to spider my own web site server which sits next to me.

here's the error message I get ( Timed out (no reply from server )

So if I disable the .htaccess file for a tick then spider my site then turn .htaccess back on, will this work.

By the way how do you turn .htaccess back on

TT

Member Avatar

nileshgr

This is a better one I think. It prevents .ht* from public access-

<FilesMatch "^\.ht">
Order deny,allow
Deny from All
Satisfy All
</FilesMatch>