Using htaccess for security purposes?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

Using htaccess for security purposes?

Post by Chalks »

I ran across this website today: http://www.0x000000.com/?i=558
He's got an htaccess file that he claims "protects you from nearly every webapplication attack there is." I know almost nothing about htaccess rules and whatnot, but that claim seems superfluous. Could one of you look at his code and explain if his claim is actually justified?
User avatar
it2051229
Forum Contributor
Posts: 312
Joined: Tue Dec 25, 2007 8:34 pm

Re: Using htaccess for security purposes?

Post by it2051229 »

what about if you learn how to code .HTACCESS so you will know.. it's worth the knowledge..
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Using htaccess for security purposes?

Post by Mordred »

As with every application firewall, you need to worry about two things - false positives and false negatives.
Imagine a forum about SQL - noone would be able to talk about selects, unions and whatnot, because the .htaccess will stop them.
Imagine a forum about polar bears though - it's more unlikely that polar bear researchers have unions, or that they muse over what type of hamburger to select for breakfast.

Also, there are surely ways around these rules, especially if the admin applying the .htaccess is forced to change some of them (did you notice that the SQL-related list has select, insert and update, but not delete ;) ) The good thing is that "some" security is better than "no" security, so for some people and applications it may be the difference between being defaced by script kiddies and not.
Post Reply