website guardian Website GUARDIAN

What are htaccess files?


Published: November 16, 2012
Author: Anna Agnew

The main reason for which .htaccess (hypertext access) files were created, and the original purpose for its creation, is to allow password protection per-directory of resources. This configuration file is used to indicate who is allowed access to the contents of a specific file directory from the Internet or and intranet.

.htaccess files affect the directory (and sub-directories) they are placed in and IS the file extension NOT file.htaccess or somepage.htaccess - it is simply named .htaccess. For historical reasons, you will see that the .htaccess format is basically the same as the Apache web server's global configuration file.

Although the main purpose is for password protection of directories (e.g. requiring a password to access content), .htaccess can be utilized to control other things such as: using different files as an index file, deny directory listing, automatically redirect users, access control that is ip based, custom error pages.

Common Uses for .htaccess files
Authorization, authentication: In this case, the .htaccess file is used to spell out specific restrictions for a directory. It is often accompanied by a .htpasswd file which stores usernames and their passwords.

Rewriting URLs: .htaccess files are used to rewrite overly long URLs to easier, shorter and more memorable URLs.

Blocking: The allow/deny is used to block by IP address or domain. It can also be used to block bots, rippers and referrers. It is often used to restrict the access of the search engine spiders.

SSI: Allow server-side includes.

Directory Listing: Tells the server how to react when no specific web page has been specified.

Customized Error Responses: Allows a page to be changed when a server-side error happens. For example, "HTTP 404 Not Found" or to tell a search engine when a page has moved, "HTTP 301 Moved Permanently"

MIME types: Gives instructions to the server on how to treat different varying types of files.

Cache Control: .htaccess files sets up instructions that allow the server to control caching by web browsers, proxies to reduce bandwidth usage, and perceived lag.

Advantages of the .htaccess file
Changes made in files where .htaccess files are present take effect immediately, unlike changes made in the main configuration file which forces the server to have to restart to allow new settings to take effect.

On a server that has many different users, .htaccess files allow individual users to alter their site configuration because the main server configuration files do not need to be altered.

Disadvantages of the .htaccess file
Allowing individual users to alter their site configuration of a server can introduce security concerns if it is not set up properly. Also, if a company has hundreds of .htaccess files on several different directories that either allow or deny user access to their own contents, it becomes more complicated for that company to set up a global access or authentication strategy to keep up with changes. These files can be easily overwritten which can cause problems for users who were once able to access a directory's information but are now not able to access. .htaccess files are also more likely to be opened or retrieved by unauthorized users.

Category: website security,