You are not logged in.
- Topics: Active | Unanswered
#1 2011-10-06 17:03:53
- awayand
- Member
- Registered: 2009-09-25
- Posts: 398
[SOLVED] protecting htpasswd
Hi,
I am using htpasswd with apache to protect a directory with a password using .htaccess. Now my htpasswd file is in the same directory I am trying to protect. How can I protect that file from being fetched once someone is authenticated? I don't want to move the file out of the document root, and I don't really want to use rewrite rules unless I have to. Any ideas?
thanks!
Last edited by awayand (2011-10-07 00:17:36)
Offline
#2 2011-10-06 17:55:48
- jakobm
- Member
- Registered: 2008-03-24
- Posts: 132
Re: [SOLVED] protecting htpasswd
This is from the default http.conf and should answer your question:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>Offline
#3 2011-10-06 18:16:07
- rwd
- Member
- Registered: 2009-02-08
- Posts: 664
Re: [SOLVED] protecting htpasswd
If you're really paranoid you could define the password in your httpd.conf, i.e. out of the webroot. Otherwise some exploit in a php script might offer a way to echo/include the htaccess file.
Last edited by rwd (2011-10-06 18:29:13)
Offline
#4 2011-10-07 00:17:01
- awayand
- Member
- Registered: 2009-09-25
- Posts: 398
Re: [SOLVED] protecting htpasswd
cool thanks!
Offline