I have a Joomla site www.siteA.com and another Joomla site www.siteA.com/siteB.
I have a .htaccess -file at siteA, but not at siteB.
Is it a security risk not to have a .htaccess -file at siteB?
+7
A:
.htaccess files are used to override settings otherwise set in the apache configuration. If you have nothing you want to change, then you don't need (and shouldn't have) an .htaccess file.
tylerl
2009-04-06 20:07:41
Can .htaccess override other configuration settings than those of Apache? I remember that there are substitutes for Apache.
Masi
2009-04-06 20:31:01
.htaccess is an apache-specific configuration file. However, since apache is so popular, you may find other servers that are willing to read and parse .htaccess files at lest to a limited degree. There's an extension for IIS, for example, that will parse the mod_rewrite configuration in .htaccess.
tylerl
2009-04-06 21:50:35
@tylerl: Thank you!
Masi
2009-04-07 08:27:08
+1
A:
Do you have access to the main server configuration files? If so, you shouldn't be using .htaccess files at all. It's a security risk not to have your server configured properly, but all that configuration should be done in the main configuration file (like /etc/apache2/httpd.conf for example).
If you don't have access to the main server configuration files, it's probably not a security risk to not have a .htaccess file. Typically whoever wrote the main server configuration file didn't leave any major security holes (well, at least we hope so). But it depends on the specifics of your website. For instance, the main server could be configured to allow directory listings when there's no index file in a directory. That could be a security risk if you have files that you don't want anyone to find by accident, but otherwise there's no harm in it.
David Zaslavsky
2009-04-06 20:19:05
Your answer raised another question: Is it a security risk to keep backup -folders at the same folder level as public_html -folder?
Masi
2009-04-06 20:29:02
As long as the backup folders are not within the public_html folder, and as long as they're not accessible from the web, it should be fine. And if there's nothing sensitive in your backup folders, it's not such a big deal even if they are under the public_html folder.
David Zaslavsky
2009-04-07 02:27:02
The point is, there are rarely any easy, generic answers when it comes to computer security. I suggest you take the time to learn about some of the basic principles of security so you can decide for yourself what is a security risk.
David Zaslavsky
2009-04-07 02:29:43
+2
A:
The .htaccess file written for Joomla! is mainly for mod_rewrite purposes so you can get the SEF URLs without /index.php/ stuck in the middle. There are some additional rules in there to thwart off attacks that occur with either misconfigured servers or poorly coded 3rd party extensions. It is not necessary to use this file to protect the core Joomla! system. This is your last line of defense rather than your first.
jlleblanc
2009-04-07 00:03:19
Making sure your server configuration is secure. The `register_globals` setting should be `off`. If you have Apache as your webserver, use `mod_suphp` instead of setting folders as writable through chmod. That's where I would start.
jlleblanc
2009-04-07 13:32:25
+1
A:
.htaccess files are configuration files used to set options on a per directory level. These same options (and more) could be set from the main apache configuration (often in /usr/local/etc/apache*). If you own your server and have set up your Apache configuration properly it may actually be a gain to disable .htaccess for performance reasons.
Not properly configuring permissions is usually a security risk. How you set them is up to you. Some people prefer having .htaccess enabled so they could keep application specific settings together.
To answer your specific question about Joomla: the .htaccess file provided by default (last I checked) only does URL rewriting. This provides near-zero security benefit so not having a .htaccess file should not be a problem.
Lastly it depends on what you mean by secure (as does almost any question relating to security).
Good Person
2009-04-07 15:24:42
The .htaccess file shipping with Joomla! does more than URL rewriting, but it does not add any security to the core code hosted on a properly configured server. It mainly protects against old 3rd party extensions that didn't sanitize their input properly.
jlleblanc
2009-04-07 16:43:54
A:
Is it a security risk to USE an htaccess file? I uploaded an htaccess file to a public web folder at work to restrict a page to staff only, but was told that I shouldn't be using htaccess files or programming or I'll stuff up the whole website and risk security. I used the standard htaccess file I've used before at work in other areas with no problems. What did the webmaster mean when they said 'using htaccess is a security risk'?
LLL
2010-10-26 00:23:21