Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


.htaccess file

Posted on 2007-07-28
Medium Priority
Last Modified: 2010-03-04
In a folder of my Apache webserver I have a .htaccess file with this content:

"# This folder does not require access over HTTP
# (the following directive denies access by default)
Order allow,deny"

What does it mean? does it allow or deny access?
Question by:lucavilla
  • 6
  • 4

Expert Comment

ID: 19587104
Neither? It tells you that "First, all Allow directives are evaluated; at least one must match, or the request is rejected. Next, all Deny directives are evaluated.

If any matches, the request is rejected. Last, any requests which do not match an Allow or a Deny directive are denied by default." (http://httpd.apache.org/docs/1.3/mod/mod_access.html)

See also http://www.webreference.com/internet/apache/chap5/2/3.html.

Must I cite more?

I think you must look in what context that line is given, e.g.:

<FilesMatch "\.(html)$">
order allow,deny
deny from all

Would mean:
"order allow,deny": first see if who/what is allowed to see the files of the type html; then see who7what is denied acess to those files.
"deny from all": everyone is denied access to the files of type html.


Author Comment

ID: 19587437
Oh, thanks numbers1to9 but it's more difficult than how I expected.

it's better that I ask the direct question then:

I want to install PhpMyAdmin on an Apache webserver.
The last point of the "Quick Install" documentation at http://phpmyadmin.sourceforge.net/documentation says:
"You should deny access to the ./libraries subfolder in your webserver configuration. For Apache you can use supplied .htaccess file in that folder, for other webservers, you should configure this yourself. Such configuration prevents from possible path exposure and cross side scripting vulnerabilities that might happen to be found in that code."

The question is: what must that .htaccess file in the ./libraries subfolder contain?

Expert Comment

ID: 19587524
I believe that if you put:
<Directory />
  Order Deny,Allow
Deny from all

It should suffice.

If the .htaccess is going to work at all you need to hav
AllowOverride None
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 19587535
My last post wasn't quite finished... Stupid "submit button"...

... If the .htaccess is going to work at all you need to have
AllowOverride All set in your server "configuration file".

Mind you, I have all of this a very long time ago, and I barely remember if this is "correct".

At "http://httpd.apache.org/docs/2.2/mod/core.html#directory" you will find all directory functions available for you. And at "http://httpd.apache.org/docs/2.2/misc/security_tips.html" you will find some security pointers (see top Protect Server Files by Default).

(I am assuming that you have Apache 2.2, and that you are using a virtual host)

Accepted Solution

numbers1to9 earned 2000 total points
ID: 19587601
For some strange reason I can not get <directory /> to work, if you have the same problem try:

<Limit GET>
order deny,allow
deny from all

or simply just  "deny from all".

Author Comment

ID: 19588652
I found that my original .htaccess file already denies access from my browser.  :)

Anyway I awarded you for your effort. Thanks!

Expert Comment

ID: 19588880
YEAH!!! yeah! My SECOND 500 points! Yeah! I rule! YEAH! *dancing*

Author Comment

ID: 19588980
Thanks again. You're a great value for Experts-Exchange!
By the way where are you from?

Expert Comment

ID: 19631996
Sorry, didn't see your post.

Great value for Experts-Exchange? What about a great value for humanity? -- World peace depends on me!

Where I am from? A little blue planet in the Sol system, located in the Milky way.

Author Comment

ID: 19633713
numbers1to9 you have my vote for a Nobel prize :)

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Loops Section Overview
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…
Suggested Courses
Course of the Month13 days, 5 hours left to enroll

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question