Apache-.htaccess-Inspektor
Analysieren Sie .htaccess-Dateien auf Sicherheitsprobleme und Rewrite-Regeln
Inspecting Apache .htaccess Files for Security and Configuration Issues
Apache's .htaccess files provide directory-level configuration overrides that control URL rewriting, access control, authentication, and security headers. Their distributed nature — any directory can have its own .htaccess — makes them powerful but difficult to audit holistically. A single misconfigured RewriteRule can expose admin panels, directory listing can reveal file structure, and missing security headers leave applications vulnerable to XSS and clickjacking attacks.
The .htaccess Inspector analyzes your Apache configuration for security vulnerabilities, rewrite rule correctness, deprecated directives, and missing protections. It validates RewriteRule regex patterns, detects information disclosure risks, checks for proper authentication configuration, and identifies common misconfigurations that impact both security and performance. All processing happens entirely in your browser.
Rewrite Rule Analysis
Apache's mod_rewrite is powerful but notoriously complex. The inspector validates rewrite rules for common issues:
- Invalid regex patterns: Syntax errors that cause 500 Internal Server Error responses
- Missing flags: Rules without
[L](Last) flag continue processing additional rules, causing unexpected behavior - Redirect loops: Rules that match their own output, creating infinite redirect cycles
- Overly broad patterns:
^(.*)$matching all URLs when a more specific pattern was intended - Missing RewriteEngine On: Rules that have no effect because the rewrite engine is not activated
Each rewrite issue includes the specific rule, what it actually does versus likely intent, and a corrected version with proper flags and patterns.
Security and Access Control
The inspector detects security gaps in .htaccess configuration:
- Directory listing enabled: Missing
Options -Indexesexposes file structure when no index file exists - Unprotected sensitive files: Missing rules to block access to
.env,.git,wp-config.php, and backup files - Weak authentication:
AuthType Basicwithout HTTPS sends credentials in base64 (not encrypted) - Server signature: Missing
ServerSignature Offexposes Apache version in error pages - PHP configuration exposure: Allowing access to
phpinfo()output orphp.inifiles
Performance and Deprecated Directives
Beyond security, the inspector identifies configurations that impact performance or use deprecated syntax:
- Deprecated
Order/Deny/Allow: Apache 2.4+ usesRequiredirectives; old syntax causes unexpected behavior in mixed configurations - Excessive .htaccess reliance: Per-request file parsing adds overhead; rules that could be in the virtual host configuration should be moved there
- Missing compression: No
mod_deflateormod_gzipconfiguration for text-based content - Missing caching headers: No
mod_expiresorCache-Controlheaders for static assets
For performance-critical deployments, the inspector recommends migrating .htaccess rules to the main server configuration (httpd.conf or virtual host files) to eliminate per-request file system lookups. Apache must traverse each directory in the URL path looking for .htaccess files on every request, adding measurable latency under high traffic. The inspector distinguishes rules that require .htaccess (user-editable hosting) from those that should be in server config (dedicated servers where admin access is available).
Code Examples
Secure .htaccess Configuration
# Security hardening
Options -Indexes -Multiviews
ServerSignature Off
# Block sensitive files
<FilesMatch "^\.(env|git|htpasswd)$">
Require all denied
</FilesMatch>
# Block backup and config files
<FilesMatch "\.(bak|sql|log|ini|conf)$">
Require all denied
</FilesMatch>
# Security headers
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
# HTTPS redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]