0

Following an answer to this question, I'm starting to look at keeping multiple .htaccess files for my different environments. The gist of it is, you create a file for each environment (.htaccess-dev, .htaccess-prod, etc) so you can track them all in Git, then symlink .htaccess to whichever file you want to use on a given environment. Simple enough, and easy to rebuild if it gets destroyed.

Before I implement this though, I wanted to do my diligence - I can't find anything relating to security of .dotfiles past .htaccess/.htpasswd. If I had .htaccess-dev and .htaccess-prod on my production server, would they be accessible through a browser? Are there any other security considerations I should be aware of?

Community
  • 1
  • 1
CodeMoose
  • 2,964
  • 4
  • 31
  • 56

1 Answers1

1

There's probably something like this inside your server configuration (older Apache):

<FilesMatch "^.ht">
    Order allow,deny
    Deny from all
</FilesMatch>

Or maybe this (new Apache):

<Files ".ht*">
    Require all denied
</Files>

Or even this (nginx):

location ~ /\.ht {
    deny  all;
}

As the first line of each bit suggests, these rules restrict access to any file starting with .ht. However, there's no guarantee that this configuration option is there, it just happens to be in the default config for some web servers.

In short, there's nothing magical about .htaccess files not being accessible, it's all in your config file. In your case, your alternative htaccess files happen to match the rule, but you're probably better off just writing similar rules for other files you want to deny access to, so you can make it explicit that you do want these stored but don't want them published.

Wander Nauta
  • 18,832
  • 1
  • 45
  • 62