With security in mind, consider disabling .htaccess all together unless it is necessary within your site. (AllowOverride None) Then, you can set your options globally in Apache's configuration.

That said, symlinks aren't necessarily bad but you have to have a clear understanding of your implementation of Apache. To a non-chrooted Apache, symlinks certainly pose a significant risk to exposing files outside of your document root.


Options None provides more security because then there is no chance to gain access outside of the document root through symlinks.

It may have a marginal effect on performance. I'd have to check but by disallowing symlinks apache may have to lstat each file to determine if it is a symlink first.

Can you cite these sources that claim allowing symlinks would be better security and performance?

Edit: However, be aware that disallowing symlinks isn't bulletproof. The apache manual says "Omitting this option should not be considered a security restriction, since symlink testing is subject to race conditions." I.e., between the time lstat saying it isn't a link and the time apache reads it somebody could have turned it into a link.