Htaccess – Secure your website

Htaccess (Hypertext Access) files are used by Apache Webserver to control the configuration of the directory in which your website resides. One can easily configure security settings without restarting the server.
Almost every hosting provider supports htaccess. One simple way to test whether your host provides .htaccess files is to check whether there is a support for password protection of folders. You can also easily create your own .htaccess file and upload it in your directory. Apply a few rules on it and get the best results for your website.
The .htaccess file is just an extension with no filename. On some of the operating systems, you may face problems in uploading and searching the file. In such cases, you can simply rename the file after uploading it on the server.
The various applications of the .htaccess file are as follows :
  1. Password protecting directories.
  2. Allowing or Disallowing access to certain IP addresses.
  3. Redirect Users to another Urls.
  4. Configure custom error pages.
  5. Stop Directory Listing.
  6. Using different files as index files.
  7. Add additional MIME types.
  8. URL Rewriting (Best feature)
  9. Protecting you .htaccess file

1. Password protecting directories.
Every subdirectory and file will be protected within the given directory.
Note that the htaccess file rules are followed from top to bottom.
# Directory name to be protected
AuthName "Directory Name"
AuthType Basic
# Absolute path to the file storing password
AuthUserFile /path/.htpasswd
Require valid-user
If possible, place the password file always outside the public directory.
In the .htpasswd file, write the username and password in the following format :
Note: Username and password should be separated using “:”

> 2. Alowing or Disallowing Access to Certain IP Addresses
In order to limit users with particular IP addresses, add the following directives in the .htaccess file :
# deny all other except the ip address
order deny,allow
deny from all
allow from
allow from .**
3. Redirect URLS
Use the following directive to redirect a directory to another directory or a page to another page.
#Redirect from the current url eg. to
Redirect /currentdir

4. Handling Errors Using Custom Error Pages

Eg. For a 404 Page not found error, one can write the following code :
ErrorDocument 404 /pagenotfound.html
5. Stop Directory Listing

To disallow file listing in a directory, you can use following directive :
Options -Indexes
6. Using a Different File as a Index File
DirectoryIndex my.php index.php index.html default.htm
7. Add Additional MIME Types
Some host servers may not be setup to handle specific file types such as mp3 or swf files.
This can be easily fixed using “AddType”
# define various MIME types

AddType application/x-shockwave-flash .swf
AddType application/octet-stream .mp3
8. URL Rewriting SEO expert always suggest to display the main keyword in the URL.
For this, one can use rewrite rules to create SEO friendly URL names.

If you have a dynamic page called /category_mobile.php and it is passed a numeric variable called id in the form of /category_mobile.php?id=2, you can use .htaccess to create a more SEO-friendly URL structure such as /category-mobile/2.

To accomplish this, use:
RewriteEngine on
RewriteRule ^/?category-mobile/([0-9]+)$ /category-mobile.php?id=$1
You can also perform many other neak tricks like Browser sniffing, Saving bandwidth, Force Caching, Magic Urls using .htaccess.

9. Protecting you .htaccess file
Your .htaccess file can be hacked and code can be inserted to redirect to another website etc.
1. Add the following to your .htaccess file to protect it:
# Protect the htaccess file
<files .htaccess>
order allow,deny
deny from all

2. Set the .htaccess file permission to 644

No comments:

Post a Comment