.htaccess security

security hosting linux apache-2.2 .htaccess

With security in mind, consider disabling .htaccess all together unless it is necessary within your site. (AllowOverride None) Then, you can set your options globally in Apache's configuration.

That said, symlinks aren't necessarily bad but you have to have a clear understanding of your implementation of Apache. To a non-chrooted Apache, symlinks certainly pose a significant risk to exposing files outside of your document root.


Options None provides more security because then there is no chance to gain access outside of the document root through symlinks.

It may have a marginal effect on performance. I'd have to check but by disallowing symlinks apache may have to lstat each file to determine if it is a symlink first.

Can you cite these sources that claim allowing symlinks would be better security and performance?

Edit: However, be aware that disallowing symlinks isn't bulletproof. The apache manual says "Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions." I.e., between the time lstat saying it isn't a link and the time apache reads it somebody could have turned it into a link.

Related

CRON messages being delayed for arbitrary long time in syslog
Install new wildcard SSL cert on top of existing single domain cert - any pitfalls?
How do I delete the Administrator account?
ISC DHCP - Force clients to get a new IP address, instead of the being re-issued their previous lease's IP
Why is module os_keypair not returning private_key?
How to change RDS KMS Key without losing data?
3 Exchange Mailboxes with 50GB and growing. Searching/Indexing is slow. Options?
WSUS not receiving updates?
Writing utf16 to file in binary mode
jQuery Deferred and Dialog box
ksoap2 org.xmlpull.v1.xmlpullparserexception expected start_tag error
Localizing enum values in resource bundle