How to protect a directory via a .htaccess file

In order to securely protect your directory via a .htaccess file on your domain, please make sure that you adhere to the following best practices:

  • If you are using an access control directive within a <Limit> section to limit access on specific HTTP methods (e.g. GET, POST), it is recommended to remove the <limit> section or to replace it with a <LimitExcept> section.
  • A <LimitExcept> section should always be used in preference to a <Limit> section when restricting access, because a <LimitExcept> section provides protection against arbitrary HTTP methods.

The following example of a non-secure configuration applies the access control only to the methods POST, PUT, and DELETE, which leaves all other HTTP methods unprotected:

<Limit POST PUT DELETE>
Require valid-user
</Limit>

The following is an example of a secure configuration where the access control is applied to all HTTP methods except for POST, PUT, and DELETE. This protects against attacks on all other HTTP methods:

<LimitExcept POST PUT DELETE>
Require valid-user
</Limit>

For more information, kindly visit the following link to the official Apache documentation:

http://httpd.apache.org/docs/2.2/mod/core.html#limit

Do you need further assistance? Contact us
Email
Share