Different methods of denying access in httaccess

I want to deny the access to all files and subdirectories in a given folder via .htaccess. I found this two methods:

deny from all
<Files "*">
    Order Deny,Allow
    Deny from all
</Files> 

Is there any difference between this two?


Solution 1:

As noted in comments, the Deny and Order directives are formerly deprecated on Apache 2.4 (which I would assume you are using - see below). And are intended for backwards compatibility only (mod_access_compat). These should only be used on Apache 2.2 and earlier.

deny from all

Yes, this does "deny" all access to the current directory, files and subdirectories. However, without explicitly stating the Order in which the Deny and Allow directives are processed then how it interacts with related directives is not clearly defined.

Allow directives in a subdirectory .htaccess file should override this.

<Files "*">
    Order Deny,Allow
    Deny from all
</Files>

By wrapping the directives in a <Files> container you are forcing the block to be merged late. This has the effect of potentially overriding Allow directives in a subdirectory, unlike the example above. Unless the Allow directives in a subdirectory are also enclosed in a <Files> container. This may or may not be desirable. In most cases this is not required.

The * is simply a wildcard that matches all files (and directories).

On Apache 2.4 you should use the Require directive (mod_authz_core) instead:

Require all denied

The same regarding the <Files "*"> container would apply here also.