5.10 Ensure Access to .ht* Files Is Restricted

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Restrict access to any files beginning with .ht using the FilesMatch directive.


The default name for access filename which allows files in web directories to override the Apache configuration is .htaccess. The usage of access files should not be allowed, but as a defense in depth a FilesMatch directive is recommended to prevent web clients from viewing those files in case they are created. Also a common name for web password and group files are .htpasswd and .htgroup. Neither of these files should be placed in the document root, but, in the event they are, the FilesMatch directive can be used to prevent them from being viewed by web clients.


Perform the following to implement the recommended state:
Add or modify the following lines in the Apache configuration file at the server configuration level.

<FilesMatch '^.ht'>
Require all denied

Default Value:

.ht* files are not accessible.

See Also