How to protect .htaccess Files ?

[tlwwolfseye]

Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:

Code:

<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>

According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye

[UKBusinessLive]

Quote:

Originally Posted by tlwwolfseye

Hi,

how can I protect .htaccess Files, so they can?t be browsed in a Webbrowser directly. I read on several sites about how they say it should work but when I tried those, the .htaccess file was still directly accessible. Why is that ?

For example:

Code:

<Files ~ "^.*\.([Hh][Tt][Aa])">
 order allow,deny
 deny from all
 satisfy all
</Files>

According to a couple of sites that would be a very secure way of archiving that, but that also doesn?t work for me. Why is that ?

Wolfseye

Try this way

Preventing someone from viewing my .htaccess file

The .htaccess file typically resides in your root directory and can be viewed through the web browser. Most of the time there is information contained the the .htaccess file that you don't want people knowing, like the rules for allowing or denying access. One way to prevent access to the .htaccess file is to disable access to that particular filename. You can add the following lines to your .htaccess file in the root directory to deny visitors from viewing all .htaccess files contained in your website:

Code:

<Files .htaccess>
order allow,deny
deny from all
</Files>

[tlwwolfseye]

Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.

This is my .htaccess File, or lets say part of it. Would be too many Bans in it to post here.

Code:

php_value memory_limit 64M
php_value upload_max_filesize 50M
php_value max_execution_time 900

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://www.mydomain/hotlink.jpg [NC,R,L]

ErrorDocument 403 /error/403.html
ErrorDocument 404 /error/403.html

<Files .htaccess>
order allow,deny
deny from all
</Files>

<Files *>
Order deny,allow

# Mixed IP Ranges
deny from 203.223.32.0/20
deny from 41.200.0.0/16
deny from 59.148.209.80/30
deny from 94.247.2.0/23
deny from 194.8.74.0/23
deny from 87.118.96.0/19
deny from 87.118.64.0/18
deny from 213.155.0.0/19
deny from 212.95.32.0/19
deny from 221.120.192.0/18
deny from 94.179.136.0/21
deny from 82.81.0.0/17
deny from 84.19.176.0/20
</files>

[UKBusinessLive]

Quote:

Originally Posted by tlwwolfseye

Thats one of the things I tried, doesn?t work. I can still directly access the File in the Browser. Thats why I wonder.

Now i know this will sound silly, But are you 100% sure the .htaccess file your editing is the only one one you have and its in the root of your server, The reason i ask is i've heard of a guy editing a htacess in his forum root not knowing he already had on in the server root

You need to make sure the code is like the one shown below not like your example, I know that works 100% on my site. Failing that it may be something that you'll need to take up with your host, as something is stopping you from adding this.

Code:

<Files .htaccess>
order allow,deny
deny from all
</Files>

have you already got an htaccess file ??

You can read up on htaccess files here http://httpd.apache.org/docs/1.3/howto/htaccess.html

[tlwwolfseye]

I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.

[Brandon Sheley]

Are you sure you can browse the .htaccess file?
I've never heard of this
what is your site url?

[UKBusinessLive]

Quote:

Originally Posted by tlwwolfseye

I only have the one in the Site Root. And thats the contents of it above. htaccess files work good on my host, just that protection of the .htaccess File isnt working.

Thats all.

Thats well strange, There may be something in your file which conflicts with the new edit ??, Not 100% sure but i would certainly enquire with your host.

Here is a nice little htaccess creator for those of you that don't want to spend hours editting code http://www.htaccesseditor.com/en.shtml#a_fileList

let us know how you got on tlwwolfseye, I'll keep searching for you

[Brandon Sheley]

As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web

[UKBusinessLive]

Quote:

Originally Posted by Loco.M

As I said in the pm, I would contact your host and ask them
the htaccess file isn't generally viewable view the web

When a visitor tries to obtain access to your .htaccess or .htpasswd file, the server automatically generates a 403 forbidden error, even with the file permissions at their default settings.

However, you can apply a bit more security to your .htaccess files by adding the following code:

Code:

<Files .htaccess>
order allow,deny
deny from all
</Files>

Contacting the host provider is the best solution as Loco says.

Another thing which people forget to do is when they write a .htaccess file they save it as htaccess.txt and then you need to upload this to your root. When its there you need to rename it to .htaccess removing the .txt extension. I think the reason you can view your htaccess file is perhaps you still have the .txt or some other extension still attached

[tlwwolfseye]

No, its is as it should be. .htaccess , no other extension. Thats why I wonder. And like i said, the other things in my .htaccess file work fine, just not the preventing to browse that file. But I will check with my hoster later.

Thanks.

WOlfseye