how secure is .htaccess

A

adamherb

Guest
I want to host a website with standard websharing that is in OS X. I have heard that there are some ways that are out there that are easy to bypass. I dont want that, and I want to be sure that nobody can get to it. I understand that it is never going to be toatally secure. I want to use the .htaccess type password folder securing so that the websites that i put in that folder are password protected. If i just stick the files that i want to share in that folder, and then put links on one of the pages to it, then will it be secure. I think that when someone wants to access that file that it will just ask for the password. Is there a way that i can make it so that the files can be viewed remotely, and that i dont have to put a link to every file.
1. What i want to know, is if .htaccess is secure, and not bypassable.
2. If i put one of the .html files into the folder, and then link to it, will my server just ask for the password.
3. Is there a way that the remote person can see the files that i have in the folder?

Thank you for any reading this long post.
 
xstep

xstep


Joined
Jun 25, 2005
Messages
3,231
Reaction score
112
Points
63
Location
On the road
Your Mac's Specs
2011 MBP, i7, 16GB RAM, MBP 2.16Ghz Core Duo, 2GB ram, Dual 867Mhz MDD, 1.75GB ram, ATI 9800 Pro vid
The .htaccess file it self is as secure as the other content in the directory. So if your server supports using .htaccess to control logins, only those with a username and password should be able to get into the directory. A basic .htaccess for for this purpose looks like this;

AuthName "Some Name to Present the User"
AuthType Digest
AuthDigestFile /home/myname/passwords/myusers.htdigest
require valid-user

The AuthName line gives the user a clue where they are loging into to.

The AuthType is the type of encryption used for the password. Basic is not encrypted at all, while Digest is encrypted. If you can, you want to use Digest. Review the man page for htdigest which is the command used to create usernames with encrypted passwords.

The AuthDigestFile line is the file created via htdigest. It should not be in a directory readable by the world. On my public .com site hosted by a hosting service I place the file above the public_html directory where my web site is. I happen to know other users of the server could grab that file and try brute force methods to crack the passwords. But that is life. Nothing is totally secure. Since I am the only person accessing my other server at home, I know I'm the only one who can access the files. Given I doen't get cracked.

The require line says that to access the directory files, the user needs to login successfully.

When every I set this stuff up, I start up a browser from scatch and try the site. One thing I do is enter a URL for a specific file such as an image.

So...

1. What i want to know, is if .htaccess is secure, and not bypassable.
Click to expand...
As far as I know, as long as the web server or .htaccess file hasn't been cracked and properly working, it is not bypassable.

2. If i put one of the .html files into the folder, and then link to it, will my server just ask for the password.
Click to expand...
Yes, a box will come up asking for a username and password.

3. Is there a way that the remote person can see the files that i have in the folder?
Click to expand...
Only when logged it. If they can't enter a valid username/password, then they get an error to try again.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top