Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

What is the .htaccess file and what do I use it for?

.htaccess - The Point of Discussion HT(Hyper Text) access file is actually a directory level configuration file which supports handsome number of servers and those webservers allow administrators for decentralized management of Web Server Configuration. The original purpose of .htaccess ” is reflected inside its name was to allow per-directory access control, for example: requiring a password to access the a directory or file. Nowadays it is used for various other purposes, as .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc it could very useful for penetration testers as well as webmasters.

Why .htaccess??

The WebServer reads these files every time when the website is loaded. So the changes to the .htaccess file can immediately effect the Server with respect to main Configuration file of server. .htaccess can also be used to authorization/authentication i.e. permitting or denying a user to access a certain content.

1.Authorization & Authentication

A .htaccess file is often used  for both authentication and authorization i.e. to specify security restrictions for a certain resource. The .htaccess file is often accompanied by a .htpassword file which stores valid usernames and their passwords for authentication purposes. We will see examples of both of them (Authorization and Authentication) in later part of this article.

2.Rewriting Urls

Rewriting is sometimes used as conditional operator to add filter to block a specific word or string in a statement.


SSI can be actually helpful to maintain a website dynamically using input parameters specified by the administrators. SSI directories can be defined within the .htaccess itself.

4.Customizing the Error Responses

A .htaccess file can also be used to customize error messages. For example -  What to do if a 404 error occur?, Shall it be redirected to the homepage?, we can also control other things such as Mime types, cache control etc.

Where .htaccess Should Be Placed?

So, we have already discussed about various uses of  .htaccess, now its time to know where .htaccess file should be placed for optimal performance. .htaccess should be placed inside root web directory of the webserver,  so that it could have same effect on all the content within the website but sometimes, it could be placed in a specific directory to perform a task.

For example A hosting company has described the maximum upload limit of 100mb per image, however in case if one of the customers wanted to upload a picture that is of 110mb what should he do?, He would contact the hosting company ofcourse, now instead of allowing the upload of 110mb from the server for all users, the company would ask the user to place a .htaccess file inside the directory and set the upload limit to 110mb.

Note:This files needs to handled with utmost care because of its sensitiveness. Even a single mistake can lead you to some serious security concerns, So if you don't know what you are doing, we would recommend not to play with it.


One of the main advantages of a .htaccess file is that the changes made to this file would take immediate effect on the webserver as opposed to making changes in the main configuration file which often requires the server to be restarted and hence a downtime might occur.  Also, as we explained from the above example that .htaccess allows unprivileged user to perform a privileged action without need to change the main configuration file.


There are two main disadvantages of .htaccess, one it creates performance loss, second it raises security concerns as you are allowing an unprivileged users to modify the configuration changes. For example - System administrator has disabled the use of the "Symbolic links", however the overrides are allowed, in case if an attacker compromises a single website on the server, he could create a custom .htaccess which would allow symlinks if they are not enabled by default and hence it would allow an attacker to read files outside the user's home directory. The folllowing .htaccess file would allow an attacker to enable and follow symlinks:

OPTIONS  Indexes Includes ExecCGI FollowSymLinksAddHandler txt .phpAddHandler cgi-script .cgiAddHandler cgi-script .plOPTIONS  Indexes Includes ExecCGI FollowSymLinksOptions Indexes FollowSymLinksAddType txt .phpAddType text/html .shtmlOptions AllOptions All

As regards with the performance impact, guys at drupal groups have provided a great explanation. "Here are some excerpts from Wrox's 'Professional Apache' in the chapter on improving Apache's performance:"

"If AllowOverride is set to anything other than 'None', Apache will check for directives in .htaccess files for each directory from the root all the way down to the directory in which the requested resource resides, after aliasing has been taken into account. This can be extremely time consuming since Apache does this check every time a URL is requested, so unless absolutely needed, always (set AllowOverride to 'None')"

Source - https://groups.drupal.org/node/22864

How .htaccess can help in improving security? 

Preventing Common Attacks (But not fully). .htacess can be used to define a blacklist of keywords that you would like to block when it arrives the server. Take a look at the following example

"RewriteEngine on" is responsible for starting the filtering process followed by the specific keyword word you would like to block, which in this case is "order". In this way .htaccess can be used to create a blacklist to filter out malicious inputs for attacks such as SQLi, XSS, LFI, RFI etc. However, this approach is not recommended as blacklist has never been the solution for any security related problem, instead the best option is to fix the vulnerabilities from within the code, the vulnerabilities can be detected via static or dynamic code analysis.

The following screenshots give examples on creating a blacklist with the help of .htaccess:


As discussed before .htaccess could be very helpful for "Authorization" i.e. we can define who is authorized to access the content, in simpler words we can permit or deny a specific Person(s) based upon his IP address .

All we have to do is to simply use allow and deny keywords with in the .htaccess. This feature could be used as a security for admins to only allow their IP to access the administrator page .


.htaccess can also be used to password protect a directory, for that we would also need an .htpasswd file. A .htpasswd contains the username and password for basic authentication of users. The following is a great website that could be used to generate .htpasswd files:

  • http://www.htaccesstools.com/htpasswd-generator/
The Protected content could be accessed as follows: http://username:[email protected]/directory/

The following screenshot demonstrates the usage of .htaccess by etsy.com to protect wp-admin page for wordpress.

Hiding Errors

This approach is also not recommended and it's called as security through obsecurity, which means that if an attacker cannot find something he is less likely to exploit it.  The idea behind this technique is to turn of php errors, which would not return errors for common vulnerabilities such as SQLi, FPD, LFI etc. However, this approach would only prevent script kiddies not real penetration testers.

Switches Used while working with Php Flag are : php_flag display_errors no/yes [on/off]
Last but not least, we would recommend following video, in case you are really interested in learning more about this topic.


 In this article, we precisely tried to cover various aspects of the .htaccess file, however this topic is far from over, based upon your comments and feedback we might come up with it's part 2.

About Author

This article was original written by Muhammad Adeel (independent Security researcher), however it was later modified by "Rafay Baloch" to make it more clear and understandable.
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.