Top twenty htaccess security directives

.htaccess file is a very ancient and one of the most powerful configuration files that controls the Web Server (Apache HTTP Server) settings which runs your website. The powerful .htaccess file has the ability to control access of the www’s (World Wide Web) Hypertext Transfer Protocol (HTTP) using Password Protection, Error Page Redirects, 301 Redirects, URL rewrites etc.

Now I will show you how you can create a .htaccess file and put some directives into it to configure the security to prevent unwanted vulnerabilities.

You need to create .htaccess file and put it under root directory of your web application. If you are using windows operating system then you will not be able to create a file that starts with a ‘.‘. So you have to create the file from command (cmd) line tool using the command mkdir .htaccess. Then you can copy this created .htaccess file under the root directory of your project or web application.

You can also check Secure WordPress site using htaccess.

Next step is to write write security directives in the .htaccess file. As a first step you need to initialize the mod_rewrite engine for your Apache HTTP Server so that whatever configurations or directives you put in the .htaccess file, web server understands what to do with these directives.

First you need to make sure that the following entry is uncommented or available in the httpd.conf file under your Apache HTTP Server installation’s conf directory.

LoadModule rewrite_module modules/

Next you need to make sure that you turn on the RewriteEngine using the following directive in your .htaccess file.

RewriteEngine On

The following security directives will help you prevent most of the vulnerable things from happening in your server. If I do not mention any Apache version for any directive then the directive will work for both Apache version 2.2 and 2.4.

1. Prevent .htaccess file itself from external access using the following directive.

For Apache 2.2 use following directive:

<Files .htaccess>
 order deny,allow
 deny from all

For Apache 2.4 use following directive:

<Files .htaccess>
 Require all denied

2. Prevent directory browsing. The following directive will not allow anyone to browse the directory in the browser. Suppose you have a project directory structure like application/config and a user wants to see what are the files inside the directory config. So user will type a URL in the browser something like and user will be able to see all the files inside the config directory. To prevent such kind of thing we need the following directive

Options All -Indexes

3. Do not display server signature when an error occurs in the requested URL. Looking at your Apache server version hackers may attack on your server.

ServerSignature Off

4. Hotlinking refers to linking directly to non-html objects on other servers, such as images, movie, css, zip, pdf files etc. This can greatly impact bandwidth usage on your web site because someone may steal your bandwidth by referring to your image. Hotlink protection can save you lots of bandwidth by preventing other sites from displaying your non-html files. make sure you replace the by your actual domain name.

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)*$ [NC]
RewriteRule \.(gif|jpg|jpeg|jpe|png|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ - [F]

5. Prevent use of specified methods in HTTP Request.


6. Block out use of illegal or unsafe characters in the HTTP Request.

RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]

7. Block out use of illegal or unsafe characters in the Referrer Variable of the HTTP Request.

RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

8. Block out use of illegal or unsafe characters in any cookie associated with the HTTP Request.

RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

9. Block out use of illegal characters in URI or use of malformed URI.

RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]

10. Block out use of empty User Agent Strings. Disable this rule if your site uses Payment Gateways like Paypal.

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]

11. Block out use of illegal or unsafe characters in the User Agent variable.

RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

12. Block out SQL injection attacks.

RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]

13. Block out reference to localhost/loopback/ in the Query String.

RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]

14. Block out use of illegal or unsafe characters in the Query String variable.

RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]

15. File injection protection, by

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
#proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]

16. Drop Range header when more than 5 ranges.

SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

17. Prevent PHP-CGI Vulnerability.

RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC]
RewriteRule (.*) - [F,L]

18. Don’t allow any pages to be framed – Defends against CSRF. Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated.

If you do not want to allow frame from anywhere even from your website.

Header set X-Frame-Options DENY

If you want to allow frame only from your site.

Header set X-Frame-Options SAMEORIGIN

19. Turn on IE8-IE9 XSS prevention tools. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.

Header set X-XSS-Protection "1; mode=block"

20. Prevent mime based attacks.

Header set X-Content-Type-Options "nosniff"

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *