In light of recent Mac Rumors events, I thought it might be a good opportunity to refresh a common tip of hiding .htaccess and .htpasswd files from public viewing. A lot of Apache installs (like MAMP) already set things up to block access to these files and so you may already see this in your httpd.conf file. If not, you may want to add it.
The above blocks access to any files that start with .ht in the file name. You can change the above to work for different file names as well, which will protect those files. The .htpasswd files should also be stored in a directory that is not web-accessible, which means a lot of the steps here wouldn't be needed, at least for the .htpasswd file.
Additionally, when you create password protected areas using the htpasswd command, you don't have to name to outputted file .htpasswd, it' simply very common. Using a unique, or mostly unique name will keep people from guessing it.
Another point to mention deals with having indexes on for a directory. When indexes is on you can view the files in a directory (if there's no Directory index file e.g., index.html, index.php, etc.), and so of course you don't want it to list your .htpasswd file and others. Normally you don't want to show any hidden files (files that start with a . are hidden). This is where the Index Ignore comes in for Apache. Below shows what mine is set to, which includes hiding hidden files from an index view. This was the default setting for MAMP.
Well, there's your tips. If anyone wants to add additional steps for Apache or even other web servers feel free to share. Also, if I have misspoken about anything here let me know. I don't consider myself an expert, just knowledgeable.
Additional Reading:
Code:
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>Additionally, when you create password protected areas using the htpasswd command, you don't have to name to outputted file .htpasswd, it' simply very common. Using a unique, or mostly unique name will keep people from guessing it.
Another point to mention deals with having indexes on for a directory. When indexes is on you can view the files in a directory (if there's no Directory index file e.g., index.html, index.php, etc.), and so of course you don't want it to list your .htpasswd file and others. Normally you don't want to show any hidden files (files that start with a . are hidden). This is where the Index Ignore comes in for Apache. Below shows what mine is set to, which includes hiding hidden files from an index view. This was the default setting for MAMP.
Code:
#
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,tWell, there's your tips. If anyone wants to add additional steps for Apache or even other web servers feel free to share. Also, if I have misspoken about anything here let me know. I don't consider myself an expert, just knowledgeable.
Additional Reading: