You are not logged in.
Hi,
I am using htpasswd with apache to protect a directory with a password using .htaccess. Now my htpasswd file is in the same directory I am trying to protect. How can I protect that file from being fetched once someone is authenticated? I don't want to move the file out of the document root, and I don't really want to use rewrite rules unless I have to. Any ideas?
thanks!
Last edited by awayand (2011-10-07 00:17:36)
Offline
This is from the default http.conf and should answer your question:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
Offline
If you're really paranoid you could define the password in your httpd.conf, i.e. out of the webroot. Otherwise some exploit in a php script might offer a way to echo/include the htaccess file.
Last edited by rwd (2011-10-06 18:29:13)
Offline
cool thanks!
Offline