Howto restrict what htaccess files can do on Apache
By Pete Freitag
If you are running Apache 2.4 or greater (and there is a good chance you are these days), then you can make use of a new directive to control exactly which directives can go in the
The directive is called AllowOverrideList and you can specify which directives you want to allow in
.htaccess files with it. This may sound familiar to the AllowOverride directive, which tends to be configured as all or nothing, or rather
All. It does provide some options for limiting what it can do, but it is not as fine grained as AllowOverrideList.
If you search for RewriteRule not working in htaccess the answer will almost always be something like this:
You need to change your httpd.conf from
While the above certainly works, a better answer for old versions of Apache is to set
AllowOverride FileInfo which enables all the
mod_rewrite directives, along with a bunch of other directives you probably don't need or want in your
.htaccess files such as
A better way as of Apache 2.4
Now with Apache 2.4 we can add something like this to our
httpd.conf files to only allow
RewriteRule we can do this:
AllowOverride None AllowOverrideList RewriteEngine RewriteRule
And that will limit what directives can go inside the htaccess file. If I try for example to add an Options directive, I will get an error like this:
[Wed Sep 04 20:41:56.741898 2019] [core:alert] [pid 1382:tid 140461738030848] [client 127.0.0.1:37466] /var/www/dummy-host.example.com/.htaccess: Options not allowed here
Howto restrict what htaccess files can do on Apache was first published on September 04, 2019.
If you like reading about apache, httpd, or security then you might also like:
- Apache Security Patches on CentOS / RHEL
- Fixing Apache (13)Permission denied: access to / 403 Forbidden
- 20 ways to Secure your Apache Configuration
- Why is my Apache httpd Alias Not Working?
Weekly Security Advisories Email
Advisory Week is a new weekly email containing security advisories published by major software vendors (Adobe, Apple, Microsoft, etc).