How to protect a directory via a .htaccess file

In order to securely protect your directory via a .htaccess file on your domain, please make sure that you adhere to the following best practices:

  • If you are using an access control directive within a <Limit> section to limit access on specific HTTP methods (e.g. GET, POST), it is recommended to remove the <limit> section or to replace it with a <LimitExcept> section.
  • A <LimitExcept> section should always be used in preference to a <Limit> section when restricting access, because a <LimitExcept> section provides protection against arbitrary HTTP methods.

The following example of a non-secure configuration applies the access control only to the methods POST, PUT, and DELETE, which leaves all other HTTP methods unprotected:

Require valid-user

The following is an example of a secure configuration where the access control is applied to all HTTP methods except for POST, PUT, and DELETE. This protects against attacks on all other HTTP methods:

Require valid-user

For more information, kindly visit the following link to the official Apache documentation:

Do you need further assistance? Contact us