Pete Freitag Pete Freitag

Howto restrict what htaccess files can do on Apache

Published on September 04, 2019
By Pete Freitag

If you are running Apache 2.4 or greater (and there is a good chance you are these days), then you can make use of a new directive to control exactly which directives can go in the .htaccess files.

The directive is called AllowOverrideList and you can specify which directives you want to allow in .htaccess files with it. This may sound familiar to the AllowOverride directive, which tends to be configured as all or nothing, or rather None or All. It does provide some options for limiting what it can do, but it is not as fine grained as AllowOverrideList.

If you search for RewriteRule not working in htaccess the answer will almost always be something like this:

You need to change your httpd.conf from AllowOverride None to AllowOverride All

While the above certainly works, a better answer for old versions of Apache is to set AllowOverride FileInfo which enables all the mod_rewrite directives, along with a bunch of other directives you probably don't need or want in your .htaccess files such as SetHandler.

A better way as of Apache 2.4

Now with Apache 2.4 we can add something like this to our httpd.conf files to only allow RewriteEngine and RewriteRule we can do this:

AllowOverride None
AllowOverrideList RewriteEngine RewriteRule

And that will limit what directives can go inside the htaccess file. If I try for example to add an Options directive, I will get an error like this:

[Wed Sep 04 20:41:56.741898 2019] [core:alert] [pid 1382:tid 140461738030848] [client] /var/www/ Options not allowed here

apache httpd security

Howto restrict what htaccess files can do on Apache was first published on September 04, 2019.

If you like reading about apache, httpd, or security then you might also like:

Weekly Security Advisories Email

Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).