Is it safe to protect file using .htaccess???
I would like to protect a file from download, I would permit the download only to people who have correct username and password.
Do you think that the .htaccess way is quite secure?
2 Replies
It's much safer to keep your stuff outside of the document root altogether. PHP scripts and other server-side programs would have no problem serving it.
Most of my static content is actually kept outside the web root and served by a php wrapper.
It's not just a possible mistake in configuration, it is possible vulnerabilities in Apache or a module you have loaded that may allow an unauthorized user to grab the content.
A classic example is the HFS+ file system Apache bug when OS X first shipped. HFS+ is case preserving but not case sensitive, so people could get around .htaccess limitations by changing the case of the request. Apache would see a request for /reStricted/file.ext and not apply the .htaccess rules that restricted the directory /restricted/ because Apache didn't know they were seen as the same directory on HFS+ systems.