5.10 Ensure Access to .ht* Files Is Restricted

Information

Restrict access to any files beginning with '.ht' using the 'FilesMatch' directive.

Rationale:

The default name for the access file which allows files in web directories to override the Apache configuration is '.htaccess'. The usage of access files should not be allowed, but as a defense in depth a 'FilesMatch' directive is recommended to prevent web clients from viewing those files in case they are created.

Also, common names for web password and group files are '.htpasswd' and '.htgroup'. Neither of these files should be placed in the document root, but in the event they are, the 'FilesMatch' directive can be used to prevent them from being viewed by web clients.

Solution

Perform the following to implement the recommended state:

Add or modify the following lines in the Apache configuration at the server configuration level:

Order allow,deny
Deny from all

See Also

https://workbench.cisecurity.org/files/2020

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT

References: 800-53|AC-3, 800-53|CM-7, CSCv6|18.3

Plugin: Unix

Control ID: 98c0e9e7285ac90b06aa89e35f835c32774fa9ec851a77f7dab0c6188c714690