Top twenty htaccess security directives

.htaccess is a very ancient and one of the most powerful configuration files that controls the Web Server settings which runs your website. The powerful .htaccess file has the ability to control access of the WWW’s Hypertext Transfer Protocol(HTTP) using Password Protection, Error Page Redirects, 301 Redirects, URL rewrites etc.

Now we will see how we can create a .htaccess file and put some directives into it to configure the security.

Create .htaccess file and put it under root directory of your project. If you are using windows operating system then you will not be able to create a file which starts with ‘.’. So you have to create the file from command(cmd) prompt using the command ‘mkdir .htaccess’. Then you can copy this created .htaccess file put it under root directory of your project.
Now below onwards we will write everything inside the .htaccess file

We need to initialize the mod_rewrite engine so that whatever configurations or directives we put inside .htaccess file webserver understand what to do with these directives.

RewriteEngine On


1. Prevent .htaccess file itself from external access using the following directive

<Files .htaccess>
 order allow,deny
 deny from all


2. Prevent directory browsing. The following directive will not allow anyone to browse the directory in the browser. Suppose you have a project directory structure like application/config and a user wants to see what are the files inside the directory config. SO user will type a URL in the browser something like and user will be able to see all the files inside the config directory. To prevent such kind of thing we need the following directive

Options All -Indexes


3. Do not display server signature when an error occurs in the requested URL.

ServerSignature Off


4. Hotlinking refers to linking directly to non-html objects on other servers, such as images, movie, css, zip, pdf files etc. This can greatly impact bandwidth usage. Hotlink protection can save you lots of bandwidth by preventing other sites from displaying your non-html.

#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^http://(www\.)*$ [NC]
#RewriteRule \.(gif|jpg|jpeg|jpe|png|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]


5. Prevent use of specified methods in HTTP Request



6. Block out use of illegal or unsafe characters in the HTTP Request

RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]


7. Block out use of illegal or unsafe characters in the Referrer Variable of the HTTP Request

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]


8. Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request

RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]


9. Block out use of illegal characters in URI or use of malformed URI

RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]


10. Block out use of empty User Agent Strings. Disable this rule if your site uses Payment Gateways like Paypal.

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]


11. Block out use of illegal or unsafe characters in the User Agent variable

RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]


12. Block out SQL injection attacks

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]


13. Block out reference to localhost/loopback/ in the Query String

RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]


14. Block out use of illegal or unsafe characters in the Query String variable

RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]


15. File injection protection, by

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
#proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]


16. Drop Range header when more than 5 ranges.

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range


17. Prevent PHP-CGI Vulnerability.

RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]


18. Don’t allow any pages to be framed – Defends against CSRF

If you do not want to allow frame from anywhere even from your website

Header set X-Frame-Options DENY


If you want to allow frame only from your site

Header set X-Frame-Options SAMEORIGIN


19. Turn on IE8-IE9 XSS prevention tools

Header set X-XSS-Protection "1; mode=block"


20. Prevent mime based attacks

Header set X-Content-Type-Options "nosniff"


Thanks for your reading. If you have any better idea please let us know.

Related posts

Leave a Comment