.htaccess

Last updated

An .htaccess ( hypertext access) file is a directory-level configuration file supported by several web servers, used for configuration of website-access issues, such as URL redirection, URL shortening, access control (for different web pages and files), and more. The 'dot' (period or full stop) before the file name makes it a hidden file in Unix-based environments.

Contents

A site could have more than one .htaccess file, and the files are placed inside the web tree (i.e. inside directories and their sub-directories), and hence their other name distributed configuration files. [1]

.htaccess files act as a subset of the server's global configuration file (like httpd.conf ) for the directory that they are in, or all sub-directories. [2]

The original purpose of .htaccess—reflected in its name—was to allow per-directory access control by, for example, requiring a password to access World Wide Web content. More commonly, however, the .htaccess files define or override many other configuration settings such as content type, character set, Common Gateway Interface handlers, etc.

Format and language

.htaccess files are written in the Apache Directives variant of the Perl Compatible Regular Expressions (PCRE) language. Learning basic PCRE itself can help in mastering work with these files.

For historical reasons, the format of .htaccess files is a limited subset of the Apache HTTP server's global configuration file httpd.conf [3] even when used with web servers such as Oracle iPlanet Web Server [4] and Zeus Web Server which have very different native global configuration files.

Common usage

Authorization, authentication
A .htaccess file is often used to specify security restrictions for a directory, hence the filename "access". The .htaccess file is often accompanied by a .htpasswd file which stores valid usernames and their passwords. [5]
URL rewriting
Servers often use .htaccess for rewriting long, overly comprehensive URLs to shorter and more memorable ones.
Blocking (access control)
Use allow/deny to block users by IP address or domain. Also used to block bad bots, rippers and referrers.
SSI
Enable server-side includes.
Directory listing
Control how the server will react when no specific web page is specified.
Customized error responses
Changing the page that is shown when a server-side error occurs, for example HTTP 404 Not Found or, to indicate to a search engine that a page has moved, HTTP 301 Moved Permanently. [6]
MIME types
Instruct the server how to treat different varying file types.
Cache control
.htaccess files allow a server to control caching by web browsers and proxies to speed up websites, [7] reduce bandwidth usage, server load, and perceived lag. .htaccess also adds the cache age to the webpage resources so that on revisiting the page, the elements are reloaded from browser cache till the age mentioned expires, instead of requesting the resource again from the server.
HTTPS & HSTS
Implementation of both HTTPS and HSTS on Apache servers is largely dependent on correct URL rewriting & header information mentioned in .htaccess file. Any incorrect syntax in the file while deploying HTTPS or HSTS leads to a failure in implementation.

Advantages

Immediate changes
Because .htaccess files are read on every request, changes made in these files take immediate effect – as opposed to the main configuration file, which requires the server to be restarted for the new settings to take effect.
Non-privileged users
For servers with multiple users, such as on shared web hosting, it is often desirable to allow individual users the ability to alter their site configuration. The use of .htaccess files allows such individualization, and by unprivileged users – because the main server configuration files do not need to be changed. [8]

Disadvantages

Controlling Apache using the main server configuration file httpd.conf [9] is often preferred for security and performance reasons: [10]

Performance loss
For each HTTP request, there are additional file-system accesses for parent directories when using .htaccess, to check for possibly existing .htaccess files in those parent directories which are allowed to hold .htaccess files. It is possible to programmatically migrate directives from .htaccess to httpd.conf if this performance loss is a concern. [11]
Security
Allowing individual users to modify the configuration of a server can cause security concerns if not set up properly. [12]
Syntax
.htaccess is usually very sensitive to syntax errors. Due to this any misspellings may lead to server errors and web resources in the directory with the erroneous .htaccess not being displayed at all.

Portions of the 2020 video game Mackerelmedia Fish , which explores themes of Internet culture, have been implemented directly on a website's open .htaccess directories. [13]

See also

Related Research Articles

<span class="mw-page-title-main">Apache HTTP Server</span> Open-source web server software

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. It is developed and maintained by a community of developers under the auspices of the Apache Software Foundation.

<span class="mw-page-title-main">Common Gateway Interface</span> Interface between Web servers and external programs

In computing, Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program to process HTTP or HTTPS user requests.

<span class="mw-page-title-main">Web server</span> Computer software that distributes web pages

A web server is computer software and underlying hardware that accepts requests via HTTP or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiates communication by making a request for a web page or other resource using HTTP, and the server responds with the content of that resource or an error message. A web server can also accept and store resources sent from the user agent if configured to do so.

Jakarta Server Pages is a collection of technologies that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. Released in 1999 by Sun Microsystems, JSP is similar to PHP and ASP, but uses the Java programming language.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and possibly performance in the process.

robots.txt Internet protocol

robots.txt is the filename used for implementing the Robots Exclusion Protocol, a standard used by websites to indicate to visiting web crawlers and other web robots which portions of the website they are allowed to visit.

In web applications, a rewrite engine is a software component that performs rewriting on URLs, modifying their appearance. This modification is called URL rewriting. It is a way of implementing URL mapping or routing within a web application. The engine is typically a component of a web server or web application framework. Rewritten URLs are used to provide shorter and more relevant-looking links to web pages. The technique adds a layer of abstraction between the files used to generate a web page and the URL that is presented to the outside world.

Server Side Includes (SSI) is a simple interpreted server-side scripting language used almost exclusively for the World Wide Web. It is most useful for including the contents of one or more files into a web page on a web server, using its #include directive. This could commonly be a common piece of code throughout a site, such as a page header, a page footer and a navigation menu. SSI also contains control directives for conditional features and directives for calling external programs. It is supported by Apache, LiteSpeed, nginx, IIS as well as W3C's Jigsaw. It has its roots in NCSA HTTPd.

<span class="mw-page-title-main">Configuration file</span> Software file used to configure the initial settings for a computer program

In computing, configuration files are files used to configure the parameters and initial settings for some computer programs or applications, server processes and operating system settings.

URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.

A query string is a part of a uniform resource locator (URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML document, choosing the appearance of a page, or jumping to positions in multimedia content.

<span class="mw-page-title-main">Digest access authentication</span> Method of negotiating credentials between web server and browser

Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password, with a user's web browser. This can be used to confirm the identity of a user before sending sensitive information, such as online banking transaction history. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of hashing, making it non-secure unless used in conjunction with TLS.

For computer log management, the Common Log Format, also known as the NCSA Common log format, is a standardized text file format used by web servers when generating server log files. Because the format is standardized, the files can be readily analyzed by a variety of web analysis programs, for example Webalizer and Analog.

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.

<span class="mw-page-title-main">HTTP 403</span> HTTP status code indicating that access is forbidden to a resource

HTTP 403 is an HTTP status code meaning access to the requested resource is forbidden. The server understood the request, but will not fulfill it, if it was correct.

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Russian developer Igor Sysoev and publicly released in 2004. Nginx is free and open-source software, released under the terms of the 2-clause BSD license. A large fraction of web servers use Nginx, often as a load balancer.

<span class="mw-page-title-main">HTTP 301</span> HTTP response status code

On the World Wide Web, HTTP 301 is the HTTP response status code for 301 Moved Permanently. It is used for permanent redirecting, meaning that links or records returning this response should be updated. The new URL should be provided in the Location field, included with the response. The 301 redirect is considered a best practice for upgrading users from HTTP to HTTPS.

.htpasswd is a flat-file used to store usernames and password for basic authentication on an Apache HTTP Server. The name of the file is given in the .htaccess configuration, and can be anything, although ".htpasswd" is the canonical name. The file name starts with a dot, because most Unix-like operating systems consider any file that begins with a dot to be hidden. The htpasswd command is used to manage .htpasswd file entries.

<span class="mw-page-title-main">Web server directory index</span> Index page of a websites directory

When an HTTP client requests a URL that points to a directory structure instead of an actual web page within the directory structure, the web server will generally serve a default page, which is often referred to as a main or "index" page.

<span class="mw-page-title-main">ProFTPD</span> Open-source FTP server software

ProFTPD is an FTP server. ProFTPD is Free and open-source software, compatible with Unix-like systems and Microsoft Windows . Along with vsftpd and Pure-FTPd, ProFTPD is among the most popular FTP servers in Unix-like environments today. Compared to those, which focus e.g. on simplicity, speed or security, ProFTPD's primary design goal is to be a highly feature rich FTP server, exposing a large amount of configuration options to the user.

References

  1. Apache HTTP Server Tutorial: .htaccess files - Guide at Apache.org.
  2. "AllowOverride Directive" . Retrieved 2009-03-02.
  3. "Configuration Files" . Retrieved 2009-03-02.
  4. "Using the .htaccess file", Oracle.com
  5. "Apache Tutorial: Password Formats" . Retrieved 2009-03-02.
  6. "Webmaster Tools Help: 301 redirects" . Retrieved 2012-03-27.
  7. "How to Create and Edit WordPress htaccess File to Speed Up Your Website". WP Enlight. 2017-07-29. Archived from the original on 2017-09-12. Retrieved 2017-09-12.
  8. "Apache Tutorial: When (not) to use .htaccess files" . Retrieved 2008-01-12.
  9. "Configuration Files - Apache HTTP Server" . Retrieved 2008-01-12.
  10. "When Not to use .htaccess files". Httpd.apache.org. Retrieved 2009-09-02.
  11. "How to convert .htaccess to httpd.conf entries".
  12. "Protecting System Settings" . Retrieved 2009-03-02.
  13. Morton, Lauren (2020-03-30). "Look at this wacky fish ARG about exploring abandoned websites". Rock, Paper, Shotgun. Retrieved 2020-08-20.