5.10 Ensure Access to .ht* Files Is Restricted

Information

Restrict access to any files beginning with .ht using the FilesMatch directive.

Rationale:

The default name for access filename which allows files in web directories to override the Apache configuration is .htaccess. The usage of access files should not be allowed, but as a defense in depth a FilesMatch directive is recommended to prevent web clients from viewing those files in case they are created. Also a common name for web password and group files are .htpasswd and .htgroup. Neither of these files should be placed in the document root, but, in the event they are, the FilesMatch directive can be used to prevent them from being viewed by web clients.

Solution

Perform the following to implement the recommended state:
Add or modify the following lines in the Apache configuration file at the server configuration level.

<FilesMatch "^.ht">
Require all denied
</FilesMatch>

Default Value:

.ht* files are not accessible.

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|18.2

Plugin: Unix

Control ID: 567d61f681c1cf06a7779f0e97d3e055ced87b9a26bdbf18aa9aafbb6837badd