Howto restrict what htaccess files can do on Apache
By Pete Freitag
If you are running Apache 2.4 or greater (and there is a good chance you are these days), then you can make use of a new directive to control exactly which directives can go in the .htaccess
files.
The directive is called AllowOverrideList and you can specify which directives you want to allow in .htaccess
files with it. This may sound familiar to the AllowOverride directive, which tends to be configured as all or nothing, or rather None
or All
. It does provide some options for limiting what it can do, but it is not as fine grained as AllowOverrideList.
If you search for RewriteRule not working in htaccess the answer will almost always be something like this:
You need to change your httpd.conf fromAllowOverride None
toAllowOverride All
While the above certainly works, a better answer for old versions of Apache is to set AllowOverride FileInfo
which enables all the mod_rewrite
directives, along with a bunch of other directives you probably don't need or want in your .htaccess
files such as SetHandler
.
A better way as of Apache 2.4
Now with Apache 2.4 we can add something like this to our httpd.conf
files to only allow RewriteEngine
and RewriteRule
we can do this:
AllowOverride None AllowOverrideList RewriteEngine RewriteRule
And that will limit what directives can go inside the htaccess file. If I try for example to add an Options directive, I will get an error like this:
[Wed Sep 04 20:41:56.741898 2019] [core:alert] [pid 1382:tid 140461738030848] [client 127.0.0.1:37466] /var/www/dummy-host.example.com/.htaccess: Options not allowed here
Howto restrict what htaccess files can do on Apache was first published on September 04, 2019.
If you like reading about apache, httpd, or security then you might also like:
- Apache Security Patches on CentOS / RHEL
- Fixing Apache (13)Permission denied: access to / 403 Forbidden
- 20 ways to Secure your Apache Configuration
- Why is my Apache httpd Alias Not Working?
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).