Using .htaccess Files with Apache Page 5

As shown above, the AllowOverride directive takes a whitespace-separated list of category names as its argument.

Be Aware of What You're Granting

By allowing the use of .htaccess files in user (or customer or client) directories, you're essentially extending a bit of your Webmaster privileges to anyone who can edit those files. So if you choose to do this, you should consider occasionally performing an audit to make sure the files are appropriately protected -- and, if you're really ambitious, that they contain only settings of which you approve.

Because of the very coarse granularity of the possible override categories, it's quite possible that by granting a user the aility to override one set of directives you're inadvertently delegating more power than you anticipate. For instance, you might want to include a "AllowOverride FileInfo" directive for user directories so that individuals can use the AddType directive to label documents with MIME types that aren't in the server-wide list -- but were you aware when you did this that you were also giving them access to the Alias, Header, Action, and Rewrite* directives as well? Directives are associated with override categories on a per-module basis, so tracking down what's permitted by allowing a particular category of override can be a tedious process.

The ultimate answer to what directives are in which categories is the source code. If you really want to know, examine the source for the following strings:

String Corresponding AllowOverride Keyword
OR_AUTHCFG AllowOverride AuthConfig
OR_FILEINFO AllowOverride FileInfo
OR_INDEXES AllowOverride Indexes
OR_LIMIT AllowOverride Limit
OR_OPTIONS AllowOverride Options

(See the previous section for a description of what the different override categories mean.)

As you can see, with the exception of the AuthConfig/AUTHCFG keywords, the source keywords are identical to the directive keywords. This is convenient!

Putting It All Together

Before enabling .htaccess files, consider the advantages and disadvanteges. On servers I run myself, with no users, I tend to use .htaccess files for testing and debugging, and when I have a configuration I like, I move the directives into a <Directory> container in the httpd.conf file and delete the .htaccess file. For this reason, I have overrides enabled just about everywhere. This allows me to balance the convenience of .htaccess files against their performance impact.

On some of my servers I have some user accounts for people I know and trust, and in those environments I'm more cautious and don't allow all overrides globally. I do tend to allow whatever overrides my friends need for their own directories, though.

And in some cases I have real 'user' accounts, for people I do not know as well -- and on those servers AllowOverride None is the rule. I occasionally allow .htaccess files in their private directories, but I carefully audit the possible effects before granting an override category.

This article was originally published on Jul 19, 2000

Thanks for your registration, follow us on our social networks to keep up-to-date