Solved

htaccess and security with php

Posted on 2013-05-26
5
319 Views
Last Modified: 2013-05-26
I'm trying to improve security / reliability of our .htaccess file

Options +FollowSymlinks
ErrorDocument 404 http://www.website.com
ErrorDocument 403 http://www.website.com
Options -Indexes


RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.website\.com$ [NC]
RewriteRule ^(.*)$ http://www.website.com/$1 [L,R=301]

Can you suggest security statements to prevent this file being hacked

or ensure that get/post requests were only handled by the server ip address

Or any other statements that would help secure the site ?
0
Comment
Question by:joomla
  • 3
  • 2
5 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39198303
If your Apache web server is configured correctly, '.htaccess' files can not be accessed or hacked from the web.  If someone breaks into the server as an authorized user, they might be able to make changes then.  

'get/post requests' normally have to be handled by the page they are sent to because it will have the code to process the information.  There is no generic way to handle those.  Sending the info to the server IP address only works if the target is the directory index which in this case should be 'index.php'.

Sending people to the index page of your web site for a 404 error is not very friendly or informative.
0
 

Author Comment

by:joomla
ID: 39198308
Can you tell me what these setting are intended to do ?



IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39198324
indexignore  http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexignore

According to one site, the <Limit GET POST> section is not correct.  The <Limit PUT DELETE> is probably not necessary because Apache does not provide handlers for those functions.
0
 

Author Comment

by:joomla
ID: 39198332
thanks for your help and clarifying my questions.

from my understanding of what you have said, there are no additional security options you can suggest to make the site more secure.

regards
Michael
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 39198375
Not with .htaccess.  There are things like blocking unwanted visitors but that tends to end up with long lists that take time for the server to go thru before your page is delivered.  You don't want to do that unless it is really necessary.

If you really are doing this for a Joomla site,  do a search for 'Joomla htaccess' and you'll find all kinds of different suggestions.  In general though, you want to put as little in .htaccess as you can because every single request has to be filtered by it.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

In my time as an SEO for the last 2 years and in the questions I have assisted with on here I have always seen the need to redirect from non-www urls to their www versions. For instance redirecting http://domain.com (http://domain.com) to http…
Hi, in this article I'm going to teach you how to run your own site, and how to let people in (without IP). I'll talk about and explain each step... :) By the way, everything in this Tutorial is completely free and legal. This article is for …
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now