Tutorial -:- Prevent viewing of .htaccess file -

If you use htaccess for password protection, then the location containing all of your password information is plainly available through the htaccess file.

Note: On most webservers viewing of the .htaccess and .htpasswd files are prohibited by default.

If you have set incorrect permissions or if your server is not as secure as it could be, a browser has the potential to view an htaccess file through a standard web interface and thus compromise your site/server. This, of course, would be a bad thing.
However, it is possible to prevent an htaccess file from being viewed in this manner:

<Files .htaccess>
order allow,deny
deny from all
</Files>

The first line specifies that the file named .htaccess is having this rule applied to it. You could use this for other purposes as well if you get creative enough.

If you use this in your htaccess file, a person trying to see that file would get returned (under most server configurations) a 403 error code.

You can and should also set permissions for your htaccess file via CHMOD, which would also prevent this from happening, as an added measure of security: 644 or RW-R--R--

We will be covering CHMOD in another tutorial coming soon.

And on we go....

• 1   Introduction
• 2   Error Documents
• 3   Default directory page
• 4   Redirects
• 5   Enabling SSI via htaccess
• 6   Adding MIME types
• 7   Password protecting directories
• 8   Deny users by IP address
• 9   Prevent viewing of htaccess
• 10 Prevent directory listing
• 11 Prevent hot linking of your images