ID #1285

What can you do with the ".htaccess"?

1. Safeguarding a directory

Create a directory where all files are stored you wish to protect. The file types dont matter. When opening a file from this directory the browser generates a window where the user has to enter his/her username and password before the file is displayed. Create a new file named .htaccess in this directory. Type the following lines into the file: 




AuthGroupFile /dev/null
AuthName "name"
AuthType Basic
<Limit GET>
require valid-user


In the first line you enter the path to the password file .htpasswd. This differs from provider to provider, e.g.: /home/ftp-username/www/data/.htpasswd.
Now put a second file named .htpasswd. into the directory. Write all usernames and - behind them - encrypted passwords into the file. For this purpose you either use a password generator or create a small PHP script that encrypts the password chosen by you. The password could look like this:



1.1 Sample PHP Script:

<form action="<?php echo $PHP_SELF ?>" method="post">
<input type="text" name="plaintext" maxlength="12">
<input type="submit" value="Create Password">

if (isset ($plaintext)):
echo "Encrypted password:<br>".crypt($plaintext);




2. Ban one or more users
With the following entry you can define both certain users (IP addresses) who are granted access to your server and ones who are not. (Please note that most users are assigned IP addresses dynamically by the provider).

Only certain IP addresses are granted access:
order deny, allow
allow from
deny from all

Certain IP addresses aren't granted access:
order deny, allow
deny from

Locking certain files
If you don't want files that end with a  dot (e.g. the .htaccess or .htpasswd file) to be delivered by the server use the following option:


<FilesMatch "^\." >
deny from all

Sharing certain file types for download
If you offer downloads it might be reasonable to directly declare certain files for download:


<FilesMatch "\.(gz|pdf|zip|exe)$" >
ForceType application/octet-stream

All extensions within () will be offered as download.

3. Intercepting error pages

This possibility is a decent way to evade the browsers unhelpful error messages (e.g. "Page not found"). Write the following code in a .htaccess file for instance:


ErrorDocument 403
ErrorDocument 404
ErrorDocument 500

4. Automatic redirection
Of course you also can realize a redirection. In order to do this the .htaccess file has to be located in the root directory (/).


Redirect /

The second way of redirection: the user is being redirected when entering a certain directory.

Redirect /myfolder http://www.thenewdomain.tld/

If a user is calling up // he will be redirected tohttp://www.dieneuedomain.tld/

5. Calling up a certain file as start file
The start file is named index.htm or index.html or index.php. You can also use an optional other name for the start file. For example index.shtml, index.php4, etc.

DirectoryIndex index.shtml

In this example the start file index.shtml would be called up as long as it's existent.

Tags: .htaccess, .htpasswd, directory protection, htaccess, htpasswd, password security, security

Related entries:

You cannot comment on this entry