How safe is a .htaccess file?
in [General]
|
From: tedd on 17 Aug 2010 16:17 Hi gang: The subject line says it all. How secure is a .htaccess file to store passwords and other sensitive stuff? Can a .htaccess file be viewed remotely? Cheers, tedd -- ------- http://sperling.com/
From: Robert Cummings on 17 Aug 2010 16:23 On 10-08-17 04:17 PM, tedd wrote: > Hi gang: > > The subject line says it all. > > How secure is a .htaccess file to store passwords and other sensitive stuff? > > Can a .htaccess file be viewed remotely? It depends on the server configuration. I think for the most part apache servers disable viewing these files by default. But, in any event, when these include access restriction, I always point it at a user/password file outside the web tree. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized.
From: Peter Lind on 17 Aug 2010 16:23 On 17 August 2010 22:17, tedd <tedd(a)sperling.com> wrote: > Hi gang: > > The subject line says it all. > > How secure is a .htaccess file to store passwords and other sensitive stuff? > > Can a .htaccess file be viewed remotely? No, Apache won't serve it. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Robert Cummings on 17 Aug 2010 16:35 On 10-08-17 04:23 PM, Peter Lind wrote: > On 17 August 2010 22:17, tedd<tedd(a)sperling.com> wrote: >> Hi gang: >> >> The subject line says it all. >> >> How secure is a .htaccess file to store passwords and other sensitive stuff? >> >> Can a .htaccess file be viewed remotely? > > No, Apache won't serve it. It's a configuration setting though, and not a hard-coded feature. # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # <FilesMatch "^\.ht"> Order allow,deny Deny from all Satisfy All </FilesMatch> Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized.
From: Peter Lind on 17 Aug 2010 16:39
On 17 August 2010 22:35, Robert Cummings <robert(a)interjinn.com> wrote: > > > On 10-08-17 04:23 PM, Peter Lind wrote: >> >> On 17 August 2010 22:17, tedd<tedd(a)sperling.com> Â wrote: >>> >>> Hi gang: >>> >>> The subject line says it all. >>> >>> How secure is a .htaccess file to store passwords and other sensitive >>> stuff? >>> >>> Can a .htaccess file be viewed remotely? >> >> No, Apache won't serve it. > > It's a configuration setting though, and not a hard-coded feature. Set by default in your apache2.conf file which you're rather unlikely to mess with as that is not how you're setting up sites. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype> |