We use .htaccess a lot for URL redirections and other stuffs. Is this any kind of a threat for web security? What are the best practices for a .htaccess file?
+2
A:
Above all else, make sure that the .htaccess file itself can't be downloaded, by blocking web access to .ht*. This is mostly on by default, but check, and if not, use:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Dominic Rodger
2009-11-27 09:29:26
This is part of the default configuration and should not be changed.
Gumbo
2009-12-02 09:44:31
A:
The actual .htaccess files don't really have have any known security issues beside what people have mentioned already regarding permissions.
Having said that, I've seen situations where the mod_rewrite rules were actually protecting the web application. Their code had SQL injections that were not exploitable due the mod_rewrite expression filtering the input.
pcp
2009-12-05 02:54:11