| A .htaccess file is a simple ASCII file similar to that | | | | those that would prevent the user from forgetting |
| created through text editor such as Notepad or Simple | | | | what the page is being used for. |
| Text. Most people are confused with the naming | | | | Password protection is effectively dealt with by |
| convention for the file. The term .htaccess is not a file | | | | .htaccess. By creating a file called .htpasswd, |
| .htaccess or somepage.htaccess because it is the file | | | | username and the encrypted password of the people |
| extension simply named as such. Its widely known use | | | | to be allowed access are placed in the .htpasswd file. |
| is related to implementing custom error page or | | | | The .htpasswd file should likewise be not uploaded to a |
| password protected directories. | | | | directory that is web accessible for maximum security. |
| Creating the File | | | | Whole directories of a site can be redirected using the |
| The creation of the file is done by opening up a text | | | | .htaccess file without the need to specify each file. |
| editor and saving an empty page as .htaccess. If it is | | | | Thus any request made for an old site will be |
| not allowed to save an empty page, simply type in one | | | | redirected to the new site, with the extra information in |
| character. An editor probably appends its default file | | | | the URL added on. This is a very powerful feature |
| extension to the name. Notepad for one would call the | | | | when used correctly. |
| file .htaccess.txt but the .txt or other file extension | | | | Aside from custom error pages, password protecting |
| need to be removed to enable the user to start | | | | folders and automatic redirection of users, .htaccess is |
| "htaccessing". This can be done by clicking the file and | | | | also capable of changing file extension, banning users |
| renaming it by removing anything that doesn't say | | | | with extra certain IP address allowing only users with |
| .htaccess. It can also be renamed via telnet or the ftp | | | | certain IP addresses, stopping directory listing and using |
| program. | | | | a different file as the index file. Accessing a site that |
| These files must not be uploaded as binary but rather | | | | has been protected by .htaccess will require a |
| as ASCII mode. Users can CHMOP the .htaccess file | | | | browser to pop-up a standard username/password |
| to 644 to make the file usable by the server while | | | | display box. However, there are certain scripts |
| preventing it from being read by a browser since this | | | | available which will allow the user to embed a |
| can seriously compromise security. When there are | | | | username/password box in a website to do the |
| passwords protected directories and a browser can | | | | authentication. The wide variety of uses of .htaccess |
| read the .htaccess file, the location of the | | | | facilitates time saving options and increased security in |
| authentication file can be acquired to reverse engineer | | | | a website. |
| the list and thereby completely access any portion that | | | | Many hosts support .htaccess but do not publicize it |
| had previously been protected. This can be prevented | | | | while many others have the capability for it but do not |
| by either placing all authentication files above root | | | | allow their users to have an .htaccess file. Generally, a |
| directory thereby rendering the www inaccessible or | | | | server that runs UNIX or any version of the Apache |
| through an .htaccess series of commands that | | | | web server will support .htaccess although the host |
| prevents itself from being accessed by a browser. | | | | may not allow its use. |
| Most commands in .htaccess are meant to be placed | | | | When to Use .htaccess Files |
| on one line only thus if a text editor uses word wrap, it | | | | The .htaccess files should not be used when there is |
| should be disabled as it is possible that it might throw in | | | | no access to the main server configuration file. |
| a few characters that might contradict Apache. | | | | Contrary to common belief, user authentication is not |
| .htaccess is not for NT servers and is considered an | | | | always done in .htaccess files. The preferred way is to |
| Apache thing. Apache is generally very tolerant of | | | | put user authentication configuration in the main server |
| malformed content in an .htaccess file. | | | | configuration. |
| The directory in which .htaccess file is placed is | | | | It should be used in situations where the content |
| "affected" as well as all sub-directories. It a user | | | | provider needs to make configuration changes to the |
| wishes not to have certain .htaccess commands | | | | server on a per-directory basis but does not have root |
| affect a specific directory, this is done by placing a | | | | access on the server system. Individual users can be |
| new .htaccess file within the directory that should not | | | | permitted to make these changes in .htaccess files for |
| be affected with certain changes and removing the | | | | themselves if the server administrator is unwilling to |
| specific command/s. from the new .htaccess file which | | | | make frequent configuration. As a general rule, the use |
| should not affect the directory. The nearest .htaccess | | | | of .htaccess should be avoided when possible since |
| file to the current directory is the one considered as | | | | configuration can be effectively made in a Directory |
| the .htaccess file. A global .htaccess located in the root, | | | | Section in the main server configuration file. |
| if considered the nearest, affects every single | | | | Two main factors warrant avoiding the use of |
| directory in the entire site. | | | | .htaccess files - performance and security. Permitting |
| Placement of .htaccess should not be done | | | | .htaccess files causes a performance hit whether or |
| indiscriminately as this may result to redundancy and | | | | not it is actually used, since Apache will look in every |
| may cause an infinite loop of redirects or errors. There | | | | directory for such file. The .htaccess file is also looked |
| are sites that do not allow the use of .htaccess files | | | | into every time a document is requested. The Apache |
| because a server overloaded with domains can be | | | | search will include .htaccess files in all higher-level |
| slowed down when all are using .htaccess files. It is | | | | directories to have a full complement of directories of |
| possible that .htaccess can compromise a server | | | | application. As such, each file accessed out of the |
| configuration specifically set-up by the administrator. It | | | | directory results to 4 additional file system accesses |
| is therefore necessary to make sure that the use of | | | | even if none was originally present. |
| .htaccess is allowed before its actual use. | | | | The use of .htaccess permits users to modify server |
| Error documents are only a part of the general use of | | | | configuration which may produce uncontrolled changes. |
| .htaccess. Specifying one's own customized error | | | | This privilege should be carefully considered before it is |
| documents will require a command within the .htaccess | | | | given to users. The use of the .htaccess files can be |
| file. The pages can be named anything and can be | | | | completely disabled by setting the Allow Overide |
| placed anywhere within the site as long as they are | | | | directive to none. |
| web-accessible through a URL. The best names are | | | | |