Security Enhancing with htaccess
« Rare XHTML elements use for SEOhtaccess directives available on Powweb »
What kind of security can be implemented from within the Apache Web Servers htaccess files?
Recently I was asked the following question and decided to post it here for others.
I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.
<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$"> order deny,allow deny from all </Files>
Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.
<Files ~ "(php\.ini|\.htaccess|\.php.?|\.pl|\.cgi)$"> order deny,allow allow from all </Files>
Darn it all, the student is now able to run php scripts in his directory.
I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.
My thoughts
You need to remove their ability to execute scripts.
Heres a couple different ways I do it
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
This is cool, you are basically categorizing all those scripts extensions so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks
Combine that with
<Files .htaccess> order allow, deny deny from all </Files>
Then you might try
Options -ExecCGI -Indexes -All
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)
RewriteRule .* - [F]
RewriteEngine Off
If you’d rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:
RemoveHandler cgi-script .pl .py .cgi
Full Example
Options -ExecCGI RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5 RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5
« Rare XHTML elements use for SEO
htaccess directives available on Powweb »
Similar Reads
- PHP htaccess tips and tricks
- Security with Apache htaccess Tutorial
- Using TIME_HOUR and TIME_MIN for htaccess RewriteCond
- htaccess HTTPS / SSL Tips, Tricks, and Hacks
- htaccess Tricks for Webmasters
- Manipulating HTTP Headers with htaccess
- Securing php.ini and php.cgi with .htaccess
- Apache Authentication in htaccess
- Apache Environment Variables CGI Script
- Debug apache log files from php
- Fresh .htaccess Examples: Cookies, Variables, Custom Headers
- Rewrite underscores to hyphens for SEO URL
- 301 Redirect with mod_rewrite or RedirectMatch
- Multiply your DreamHost Referrals
- Make phpBB SEO friendly with htaccess
- What I think about DreamHost Web Hosting
- Smart HTTP and HTTPS .htaccess Rewrite
My Picks
- THE Mod_Rewrite Cheatsheet
- AskApache .bash_profile
- Elite Log Viewing
- THE Ultimate Htaccess
- Intense Windows Speed
- DNS: Round Robin Speed
- Fsockopen: Nuts
Related Articles
- PHP htaccess tips and tricks
- Security with Apache htaccess Tutoria
- Using TIME_HOUR and TIME_MIN for htac
- htaccess HTTPS / SSL Tips, Tricks, an
- htaccess Tricks for Webmasters
- Manipulating HTTP Headers with htacce
- Securing php.ini and php.cgi with .ht
- Apache Authentication in htaccess
- Apache Environment Variables CGI Scri
- Fresh .htaccess Examples: Cookies, Va
- Rewrite underscores to hyphens for SE
- 301 Redirect with mod_rewrite or Redi
- Multiply your DreamHost Referrals
- Make phpBB SEO friendly with htaccess
- What I think about DreamHost Web Host
- Smart HTTP and HTTPS .htaccess Rewrit
Newest Posts
- Update: Best Free Online Banking
- Firefox Add-ons for Web Developers
- Optimizing Servers and Processes for Speed with ionice, nice, ulimit
Random
Donate
Please consider donating to support active development of the free software and articles here.
Good Causes
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
No comments yet. Be the first!
It's very simple - you read the protocol and write the code. -Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | TLDP | WAI | DISA | ICSI | GIAC | SANS RR | GHOST | DEFCON | NIST | DHS CYBER | NIST
↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. HTTPD based on NCSA HTTPd