How to protect a directory via a .htaccess file
In order to securely protect your directory via a .htaccess file on your domain, please make sure that you adhere to the following best practices:
- If you are using an access control directive within a <Limit> section to limit access on specific HTTP methods (e.g. GET, POST), it is recommended to remove the <limit> section or to replace it with a <LimitExcept> section.
- A <LimitExcept> section should always be used in preference to a <Limit> section when restricting access, because a <LimitExcept> section provides protection against arbitrary HTTP methods.
The following example of a non-secure configuration applies the access control only to the methods POST, PUT, and DELETE, which leaves all other HTTP methods unprotected:
<Limit POST PUT DELETE> Require valid-user </Limit>
The following is an example of a secure configuration where the access control is applied to all HTTP methods except for POST, PUT, and DELETE. This protects against attacks on all other HTTP methods:
<LimitExcept POST PUT DELETE> Require valid-user </Limit>
For more information, kindly visit the following link to the official Apache documentation: