httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sheryl" <gubyd...@his.com>
Subject Re: [users@httpd] AllowOverride: Pros and Cons
Date Thu, 08 Jul 2010 15:42:13 GMT
> Hi All,
>
> I would like to hear your idea's of what are the pros and cons if I will
> set
> a specific directive-type for AllowOverride like AuthConfig,
> FileInfo,Indexes, Limit, and Options?

Most security guidelines say no to Indexes.  It's tolerable to do allow
overrides an most things for a development box for developer convenience,
but by the time a site gets to production (particularly outside-facing)
pretty much anything worked out in .htaccess should be rolled into the
httpd.conf.

> I am just concern about security matters that will produce if I will give
> the user full access on .htaccess (AllowOverride All) on their webroot?

I would resist, or at minimum get support for not allowing it in QA and
production.  Something you can use for support is the CISecurity Apache
Benchmark.  It's downloadable for free from cisecurity.org.  I just took a
quick look and they recommend "AllowOverride None".

Sheryl

>
> Thanks.
> James
>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message