Top twenty htaccess security directives

.htaccess is a very ancient and one of the most powerful configuration files that controls the Web Server settings which runs your website. The powerful .htaccess file has the ability to control access of the WWW’s Hypertext Transfer Protocol(HTTP) using Password Protection, Error Page Redirects, 301 Redirects, URL rewrites etc.

Now we will see how we can create a .htaccess file and put some directives into it to configure the security.

Create .htaccess file and put it under root directory of your project. If you are using windows operating system then you will not be able to create a file which starts with ‘.’. So you have to create the file from command(cmd) prompt using the command ‘mkdir .htaccess’. Then you can copy this created .htaccess file put it under root directory of your project.
Now below onwards we will write everything inside the .htaccess file

We need to initialize the mod_rewrite engine so that whatever configurations or directives we put inside .htaccess file webserver understand what to do with these directives.

 

1. Prevent .htaccess file itself from external access using the following directive

 

2. Prevent directory browsing. The following directive will not allow anyone to browse the directory in the browser. Suppose you have a project directory structure like application/config and a user wants to see what are the files inside the directory config. SO user will type a URL in the browser something like http://www.example.com/application/config and user will be able to see all the files inside the config directory. To prevent such kind of thing we need the following directive

 

3. Do not display server signature when an error occurs in the requested URL.

 

4. Hotlinking refers to linking directly to non-html objects on other servers, such as images, movie, css, zip, pdf files etc. This can greatly impact bandwidth usage. Hotlink protection can save you lots of bandwidth by preventing other sites from displaying your non-html.

 

5. Prevent use of specified methods in HTTP Request

 

6. Block out use of illegal or unsafe characters in the HTTP Request

 

7. Block out use of illegal or unsafe characters in the Referrer Variable of the HTTP Request

 

8. Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request

 

9. Block out use of illegal characters in URI or use of malformed URI

 

10. Block out use of empty User Agent Strings. Disable this rule if your site uses Payment Gateways like Paypal.

 

11. Block out use of illegal or unsafe characters in the User Agent variable

 

12. Block out SQL injection attacks

 

13. Block out reference to localhost/loopback/127.0.0.1 in the Query String

 

14. Block out use of illegal or unsafe characters in the Query String variable

 

15. File injection protection, by SigSiu.net

 

16. Drop Range header when more than 5 ranges.

 

17. Prevent PHP-CGI Vulnerability.

 

18. Don’t allow any pages to be framed – Defends against CSRF

If you do not want to allow frame from anywhere even from your website

 

If you want to allow frame only from your site

 

19. Turn on IE8-IE9 XSS prevention tools

 

20. Prevent mime based attacks

 

Thanks for your reading. If you have any better idea please let us know.

Soumitra

Software Professional, I am passionate to work on web/enterprise application. For more information please go to about me. You can follow on Twitter. You can be a friend on Facebook or Google Plus or Linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.