Is it safe to protect file using .htaccess???

Hi…

I would like to protect a file from download, I would permit the download only to people who have correct username and password.

Do you think that the .htaccess way is quite secure?

2 Replies

.htaccess works fine, until one day you make a typo in the relevant config file and Apache begins to ignore it, or you give another web server a try without remembering that lighty and nginx don't support .htaccess files.

It's much safer to keep your stuff outside of the document root altogether. PHP scripts and other server-side programs would have no problem serving it.

I concur.

Most of my static content is actually kept outside the web root and served by a php wrapper.

It's not just a possible mistake in configuration, it is possible vulnerabilities in Apache or a module you have loaded that may allow an unauthorized user to grab the content.

A classic example is the HFS+ file system Apache bug when OS X first shipped. HFS+ is case preserving but not case sensitive, so people could get around .htaccess limitations by changing the case of the request. Apache would see a request for /reStricted/file.ext and not apply the .htaccess rules that restricted the directory /restricted/ because Apache didn't know they were seen as the same directory on HFS+ systems.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct