Re: [PHP] How safe is a .htaccess file?
On 18 August 2010 01:41, tedd wrote: > At 4:23 PM -0400 8/17/10, Robert Cummings wrote: >> >> On 10-08-17 04:17 PM, tedd wrote: >>> >>> Hi gang: >>> >>> The subject line says it all. >>> >>> How secure is a .htaccess file to store passwords and other sensitive >>> stuff? >>> >>> Can a .htaccess file be viewed remotely? >> >> It depends on the server configuration. I think for the most part apache >> servers disable viewing these files by default. But, in any event, when >> these include access restriction, I always point it at a user/password file >> outside the web tree. >> >> Cheers, >> Rob. >> -- > > Rob: > > When you're on a shared hosting account, they typically prohibit files being > outside of the web root. Some do, some don't. For example, GoDaddy.com > prohibits files outside of the web root while Parasane.net doesn't, at least > my experience with my accounts. > > I'm simply trying to find the "best" method to hide sensitive information on > a shared hosting environment. Thus far, it appears that .htaccess files are > the safest bet, but I understand that nothing is certain -- every method has > risks. Try accessing a .htaccess file that you have created - if you get a 403 or anything to that effect, you're safe. You might also want to try the same with .htpasswd and .htgroups (they'll likely be blocked as well, but better safe than sorry). That way you'll actually know if they're safe instead of just relying on our guesses about your servers. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How safe is a .htaccess file?
At 4:23 PM -0400 8/17/10, Robert Cummings wrote: On 10-08-17 04:17 PM, tedd wrote: Hi gang: The subject line says it all. How secure is a .htaccess file to store passwords and other sensitive stuff? Can a .htaccess file be viewed remotely? It depends on the server configuration. I think for the most part apache servers disable viewing these files by default. But, in any event, when these include access restriction, I always point it at a user/password file outside the web tree. Cheers, Rob. -- Rob: When you're on a shared hosting account, they typically prohibit files being outside of the web root. Some do, some don't. For example, GoDaddy.com prohibits files outside of the web root while Parasane.net doesn't, at least my experience with my accounts. I'm simply trying to find the "best" method to hide sensitive information on a shared hosting environment. Thus far, it appears that .htaccess files are the safest bet, but I understand that nothing is certain -- every method has risks. GoDaddy.com brags about not being hacked in 6 years and thus offers some verbal assurances that they are secure. However, I am not sure as to what they would do if they were hacked and sensitive information was made public. I'll ask them in writing and see what they say. In the meantime, I think I'll use .htaccess files for secure stuff. Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How safe is a .htaccess file?
On 10-08-17 04:39 PM, Peter Lind wrote: On 17 August 2010 22:35, Robert Cummings wrote: On 10-08-17 04:23 PM, Peter Lind wrote: On 17 August 2010 22:17, teddwrote: Hi gang: The subject line says it all. How secure is a .htaccess file to store passwords and other sensitive stuff? Can a .htaccess file be viewed remotely? No, Apache won't serve it. It's a configuration setting though, and not a hard-coded feature. Set by default in your apache2.conf file which you're rather unlikely to mess with as that is not how you're setting up sites. Totally agreed... but I've seen worse in my travels :) Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How safe is a .htaccess file?
On 17 August 2010 22:35, Robert Cummings wrote: > > > On 10-08-17 04:23 PM, Peter Lind wrote: >> >> On 17 August 2010 22:17, tedd wrote: >>> >>> Hi gang: >>> >>> The subject line says it all. >>> >>> How secure is a .htaccess file to store passwords and other sensitive >>> stuff? >>> >>> Can a .htaccess file be viewed remotely? >> >> No, Apache won't serve it. > > It's a configuration setting though, and not a hard-coded feature. Set by default in your apache2.conf file which you're rather unlikely to mess with as that is not how you're setting up sites. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How safe is a .htaccess file?
On 10-08-17 04:23 PM, Peter Lind wrote: On 17 August 2010 22:17, tedd wrote: Hi gang: The subject line says it all. How secure is a .htaccess file to store passwords and other sensitive stuff? Can a .htaccess file be viewed remotely? No, Apache won't serve it. It's a configuration setting though, and not a hard-coded feature. # # The following lines prevent .htaccess and .htpasswd files from being # viewed by Web clients. # Order allow,deny Deny from all Satisfy All Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How safe is a .htaccess file?
On 17 August 2010 22:17, tedd wrote: > Hi gang: > > The subject line says it all. > > How secure is a .htaccess file to store passwords and other sensitive stuff? > > Can a .htaccess file be viewed remotely? No, Apache won't serve it. Regards Peter -- WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How safe is a .htaccess file?
On 10-08-17 04:17 PM, tedd wrote: Hi gang: The subject line says it all. How secure is a .htaccess file to store passwords and other sensitive stuff? Can a .htaccess file be viewed remotely? It depends on the server configuration. I think for the most part apache servers disable viewing these files by default. But, in any event, when these include access restriction, I always point it at a user/password file outside the web tree. Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php