Apache Tip #1: Limit User htaccess Power

With the now common use of dynamic web sites, especially content management systems, your web hosting users may want to use .htaccess files to set Apache web server configuration directives. At times, these directives may be necessary for the proper functionality of their CMS or other dynamic web applications.

It is easy to use .htaccess, and many free and open source web apps, such as WordPress, will make use them automatically with no direct intervention required on the part of the user. For more advanced .htaccess features, however, you may want to limit the amount of power users can have over their virtual host web server configuration. Using the “AllowOverride” directive in your Apache configuration file (httpd.conf), you can place limitations on .htaccess files or even disable them completely.

The reason for doing this is simple. While you may have taken great strides to make sure your web server is secure, your web hosting users may not have the same level of security acumen. The results could be disastrous, even if only for their individual websites.

If, for example, your users only need to use .htaccess to override directory indexing for their content management systems, you can use the AllowOverride directive as follows:

AllowOverride Indexes

All other directives placed in an .htaccess file will cause an “Internal Server Error” on the site that uses them.

For more information about Apache’s AllowOverride directive and .htaccess files, see the online Apache documentation.