Posted on : 12-Jan-2010 | By : jontroth | In : .htaccess file, Tricks & Treats
From my first day of web application development the .htaccess file has been my favourite quick and dirty file. It’s a perfect tool to get the job done when you don’t have write access or any permissions to the servers main config files. Over the next few weeks I am going to post everything I have come across in regards to using the .htaccess file; from security issues, redirecting traffic, the rewrite engine and helpful PHP commands.
Let’s start from the basics. The .htaccess file is a simple ASCII formatted file allowing you to create and edit it in a basic text editor like SimpleText or NotePad. The file can only be used on UNIX systems and not on Windows NT. Though not all 3rd party hosting servers are setup to use .htaccess files, some disable .htaccess all together and some only disable certain commands.
The naming convention seems strange as the file name starts with a period and does not end with an extension. It is simply .htaccess. When creating an .htaccess file from scratch some editors will try to save the file with an extension like .htaccess.txt, so just make sure you remove the .txt before saving.
Some servers don’t like empty .htaccess files so before uploading you can add a number symbol “#”, that is a comment character, to make sure the system uses the file correctly. Make sure you upload the file as ASCII and not BINARY when using an FTP client, and then check that the CHMOD is 644 (RW-R–R–).
The .htaccess file reads one command per line, so if you are using a text editor with word wrap make sure the word wrap is disabled.
An .htaccess file that is in the root directory can affect the root and all sub directories, though if you want to add or remove commands to specific folders then you can add a new .htaccess file to those directories with new commands.
Now you know the basics, though before you run off and start creating your new .htaccess file and experimenting, lets review some safety precautions to keep you and your server happy.
- Aways make sure your .htaccess file has a CHMOD of 664 (RW-R–R–). This will allow the server to read the file and execute it and also keep would be hackers out of utilizing your file and causing malicious harm to your site and server.
- Make sure you upload in ASCII and not BINARY when using an FTP client.
- If you get a server error after you upload to your server, and the file is blank, then add a “#” symbol as some servers don’t like blank files.
- If you are adding a redirect command be careful to make sure it doesn’t loop on itself infinitely. If a server doesn’t have a timeout on redirects then your service provider could get a little angry with you.
Play it safe with your .htaccess file
Over the next few weeks I am going to add articles on how to setup .htaccess commands and how to implement them. So lets start with a quickie that will prevent the .htaccess file from being viewed. Out best practice I would advise you allows add this to your .htaccess file, expecially if you are using password protection with .htaccess.
<Files .htaccess>
order allow,deny
deny from all
</Files>
This snippet will cause a 403 error if a person tries to access the page using a browser. Making sure the file has a CHMOD of 664 (RW-R–R–) will also prevent this file from being viewed.
Below is a list of features that I will be writing about over the next few weeks.
- Error Pages
- Password Protection
- Blocking users, bots and off line browsers
- Redirects
- RewriteEngine
- PHP commands
- Adding MIME types and SSI features
