htaccess and security with php
I'm trying to improve security / reliability of our .htaccess file
Options +FollowSymlinks
ErrorDocument 404 http://www.website.com
ErrorDocument 403 http://www.website.com
Options -Indexes
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.website\.com$ [NC]
RewriteRule ^(.*)$ http://www.website.com/$1 [L,R=301]
Can you suggest security statements to prevent this file being hacked
or ensure that get/post requests were only handled by the server ip address
Or any other statements that would help secure the site ?
Options +FollowSymlinks
ErrorDocument 404 http://www.website.com
ErrorDocument 403 http://www.website.com
Options -Indexes
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.website\.com$ [NC]
RewriteRule ^(.*)$ http://www.website.com/$1 [L,R=301]
Can you suggest security statements to prevent this file being hacked
or ensure that get/post requests were only handled by the server ip address
Or any other statements that would help secure the site ?
ASKER
Can you tell me what these setting are intended to do ?
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
indexignore http://httpd.apache.org/docs/current/mod/mod_autoindex.html#indexignore
According to one site, the <Limit GET POST> section is not correct. The <Limit PUT DELETE> is probably not necessary because Apache does not provide handlers for those functions.
According to one site, the <Limit GET POST> section is not correct. The <Limit PUT DELETE> is probably not necessary because Apache does not provide handlers for those functions.
ASKER
thanks for your help and clarifying my questions.
from my understanding of what you have said, there are no additional security options you can suggest to make the site more secure.
regards
Michael
from my understanding of what you have said, there are no additional security options you can suggest to make the site more secure.
regards
Michael
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
'get/post requests' normally have to be handled by the page they are sent to because it will have the code to process the information. There is no generic way to handle those. Sending the info to the server IP address only works if the target is the directory index which in this case should be 'index.php'.
Sending people to the index page of your web site for a 404 error is not very friendly or informative.