Questions tagged [htaccess]

.htaccess is a configuration file for use on web servers running the Apache Web Server software.

.htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and interpreted by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention.

source Wikipedia:

24 questions
47
votes
3 answers

Security implications of stolen .git/objects/ files

As a security in-charge, I just noticed that one of our production web apps was attacked by some hackers. The attacker accessed the .git/objects/ files. I already modified .htaccess to make .git and its content inaccessible. The attacker may get…
4
votes
2 answers

Can someone view the contents of my .htaccess file

I am storing hashed passwords in a file called passwords.htaccess. When a user fills out a login form, the passwords are checked. I am getting the contents of passwords.htaccess with file_get_contents('passwords.htaccess');. Is there any way that…
DMVerfurth
  • 147
  • 3
  • 9
3
votes
1 answer

HSTS and TLS redirection: What is the correct order?

Currently I am trying to setup my apache server for HSTS. Therefore my .htaccess looks like this: Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header set Cache-Control…
Blackbam
  • 151
  • 6
2
votes
5 answers

Protect against attack that modifies .htaccess?

I have a dedicated server. There is no code/site live now, only a coming soon page. A few minutes ago I realized that someone has changed the .htaccess file. How can I protect against that kind of attack? The new htaccess contains these…
AlexCode
  • 133
  • 1
  • 7
2
votes
1 answer

Security issue with .htaccess with dynamic http_host redirect?

I would like to know if it would be an issue to use this code in a production environment: RewriteCond %{HTTP_HOST} ^(?:www\.)?([a-zA-Z0-9_-]+)\.(?:com|co\.uk|es|de)$ RewriteCond $1 ^sitemap([0-9]+)?\.xml(\.gz)?$ RewriteRule ^(.*)$…
JDW
  • 23
  • 2
1
vote
1 answer

Apache RewriteRule htaccess security

If I configure an .htaccess file like this : RewriteEngine On RewriteRule ^([^/]*)$ /view.php?key=$1 [L] Which transforms: original URL http://www.example.com/view.php?key=123 rewritten URL http://www.example.com/123 Is there any way for an…
Jeremy
  • 91
  • 8
1
vote
0 answers

.htaccess to stop scripts with image extensions

I use a .htaccess file in my images directory to block scripts from running. I exclude .php .cgi and so on. But some malware is disguised by naming them with an image extension. I did not previously add various image extensions fearing it could…
paulkruger
  • 11
  • 1
1
vote
2 answers

How to allow access from just one IP in htaccess

I have a public hosting server. I want to give access to it only from one specific IP address. Since it's a public hosting I don't have access to its infrastructure or apache configuration. I can create .htaccess file only. Based on that can I…
Simon
  • 111
  • 3
1
vote
1 answer

Securing Admin Login by only whitelisting a dedicated vpn ip

Is it is a good idea to restrict access to the admin-login-page-url of a website, by making a .htaccess rule that only allows access to the dedicated VPN IP? If so, is it recommended to just buy the dedicated IP from popular VPN providers? My goal…
1
vote
0 answers

Is it possible to bypass .htacess protection?

So, I was involving in one of projects where client site and admin panel/dashboard was hosted on different sites. Not like a lot of CRM`s do or 90% of common sites (just in /admin or other URL location on root client site), but literally on…
Red Indian
  • 11
  • 1
1
vote
2 answers

.htaccess rewrite rule to hide files

Let's say we have a password.txt in a webdirectory that must not be leaked. Is it secure to use a RewriteRule like this? RewriteRule "^password.txt?*" "404.html" I tried to do something fishy like domain.com/somefile/../password.txt, or using…
1
vote
0 answers

Is HSTS necessary or can I just write .htaccess code to always redirect http to https?

Is HTTP Strict Transport Security (HSTS) necessary or can I just write regular .htaccess code to always redirect http to https?
Black
  • 136
  • 5
1
vote
1 answer

HSTS vs RewriteRule

I've recently read that HSTS is designed to avoid some of the vulnerabilities associated with htaccess redirects to force HTTPS, because the browser can be made to ignore them. That said, many of our websites force HTTPS via the following…
Nosajimiki
  • 1,799
  • 6
  • 13
1
vote
1 answer

X-Frame-Options header on redirect

I have several web applications running on my server (Debian 8 running Apache). One of my customers wants to improve the security of his app, after having some security audits carried out by a third-party company he showed me the vulnerabilities he…
bomba
  • 13
  • 1
  • 5
1
vote
1 answer

How to deny execution of any file on a specific directory?

I built a form that lets the user to upload files to a specific directory (apache2, php). I already limited file type and did some other security things. But I would anyway also like to deny the execution of those files to all. They're meant to be…
1
2