What Do You Use .Htaccess For Currently?

[Lee]

Those of you who are able to use .htaccess on your servers, what are you primarily using it for right now, redirecting traffic, pasword protection, anti-hotlinking, etc, etc?

Do you typically find that you are using your .htaccess file just to do one or two minor things or are you actually using the .htaccess protocols as much as possible to make things easier for you?

Regards,

Lee

[Squirt]

I use it for password protection and was using it to block a bunch of traffic hog countries that don't buy memberships

[raymor]

We of course do a LOT of stuff within .htaccess. Back in 1996-1997 we studied
all of the possibilities and things you could do with Apache configuration more
than just about anyone else in the industry, so we're familiar with a lot if neat
tricks. If I had studied marketing like the other webmasters did, rather than tech,
I probably would have made a ton more money, but here I sit, knowing all
kinds of stuff about what can be done with .htaccess, but having no traffic of
my own, I can only do .htaccess tricks with YOUR traffic.

Here are some things we do:

Strongbox of course uses a pretty complex .htaccess file along with JavaScript,
compiled C code, Perl, SSI, and a bit of PHP, all for different tasks related to securing
your site.

.htaccess rules can tell Throttlebox about different groups of people who have
different download limits.

Make long URLs easier by redirecting from a short URL. (Best for low traffic).

We still routinely fix .htaccess files which have in them "anti-hotlink" code that we
had posted on our site for about a week back in 1998. Sometime during that week,
a well known site with lots of traffic copied our page, and other sites copied from
them and so on, but with no credit link no one noticed that we corrected two
mistakes in it a few days later. Speaking of anti-hotlinking, in 1998 when we
created that code, which is now commonly used, we said it was NOT SECURE.
It would only discourage a hobbiest webmaster from hotlinking your stuff, but
people who hotlink for fun and profit could get around it. The bad guys are so
much more sophisticated now, that comment is even more true. The actual
bad guys will not be stopped by any anti-hotlink you can do in .htaccess.
It only stops someone from hotlinking something like your banner which you
ask them to upload to your own site. IN other words, it makes hotlinking
inconvenient, not impossible.

[raymor]

Another good use I forgot to mention isn't very common, but I think it should be.
For security reasons, we'll use .htaccess to selectively enable certain Apache
features, such as PHP, only in the directories where they are needed, or disable
them where they ought not be. You can also stop anyone from downloading files
in a certain directory, such as a "data" directory, or the directory where your password
file is stored, using:
deny from all

Readers of my past posts will know I've pointed out before that MOST server
hacks are due to security holes related to PHP. So it makes sense to turn off
PHP in any directories which don't use it. PHP also has a lot of security related
settings which you can set in .htaccess to make PHP far more secure. (Perhaps
it would be more accurate to say "less ridiculously insecure"). It's better to make
those security settings in the server wide configuration file, but if you don't have
a dedicated server, you can use .htaccess for that.

The reason that the main server config file is better than .htaccess for security
related stuff is that a hacker can often change your .htacess file. This happens
when you use a brain dead web host, or one using a brain dead control panel,
that runs something called "suexec". Suexec basically gives all of your visitors
FTP access, but a LOT of web hosts use a control panel that does that by
default and they don't fix the default setting. So anyway, the Apache config is
better than .htaccess for security stuff, if you're not paying attention to how your
server is set up security wise.

[HunkyLuke]

404 redirects and other redirects

[Fister]

Block folder searching for indexless folders.

[raymor]

Block folder searching for indexless folders.

That's a good one too. With fancy indexing options it an be pretty enough for
some public use, but mainly I use it for little things that I send to a few people.