Inspecteur Apache .htaccess

Analysez les fichiers .htaccess pour problèmes de sécurité et règles rewrite

Inspecting Apache .htaccess Files for Security and Configuration Issues

Apache's .htaccess files provide directory-level configuration overrides that control URL rewriting, access control, authentication, and security headers. Their distributed nature — any directory can have its own .htaccess — makes them powerful but difficult to audit holistically. A single misconfigured RewriteRule can expose admin panels, directory listing can reveal file structure, and missing security headers leave applications vulnerable to XSS and clickjacking attacks.

The .htaccess Inspector analyzes your Apache configuration for security vulnerabilities, rewrite rule correctness, deprecated directives, and missing protections. It validates RewriteRule regex patterns, detects information disclosure risks, checks for proper authentication configuration, and identifies common misconfigurations that impact both security and performance. All processing happens entirely in your browser.

Rewrite Rule Analysis

Apache's mod_rewrite is powerful but notoriously complex. The inspector validates rewrite rules for common issues:

  • Invalid regex patterns: Syntax errors that cause 500 Internal Server Error responses
  • Missing flags: Rules without [L] (Last) flag continue processing additional rules, causing unexpected behavior
  • Redirect loops: Rules that match their own output, creating infinite redirect cycles
  • Overly broad patterns: ^(.*)$ matching all URLs when a more specific pattern was intended
  • Missing RewriteEngine On: Rules that have no effect because the rewrite engine is not activated

Each rewrite issue includes the specific rule, what it actually does versus likely intent, and a corrected version with proper flags and patterns.

Security and Access Control

The inspector detects security gaps in .htaccess configuration:

  • Directory listing enabled: Missing Options -Indexes exposes file structure when no index file exists
  • Unprotected sensitive files: Missing rules to block access to .env, .git, wp-config.php, and backup files
  • Weak authentication: AuthType Basic without HTTPS sends credentials in base64 (not encrypted)
  • Server signature: Missing ServerSignature Off exposes Apache version in error pages
  • PHP configuration exposure: Allowing access to phpinfo() output or php.ini files

Performance and Deprecated Directives

Beyond security, the inspector identifies configurations that impact performance or use deprecated syntax:

  • Deprecated Order/Deny/Allow: Apache 2.4+ uses Require directives; old syntax causes unexpected behavior in mixed configurations
  • Excessive .htaccess reliance: Per-request file parsing adds overhead; rules that could be in the virtual host configuration should be moved there
  • Missing compression: No mod_deflate or mod_gzip configuration for text-based content
  • Missing caching headers: No mod_expires or Cache-Control headers for static assets

For performance-critical deployments, the inspector recommends migrating .htaccess rules to the main server configuration (httpd.conf or virtual host files) to eliminate per-request file system lookups. Apache must traverse each directory in the URL path looking for .htaccess files on every request, adding measurable latency under high traffic. The inspector distinguishes rules that require .htaccess (user-editable hosting) from those that should be in server config (dedicated servers where admin access is available).

Code Examples

Secure .htaccess Configuration

# Security hardening
Options -Indexes -Multiviews
ServerSignature Off

# Block sensitive files
<FilesMatch "^\.(env|git|htpasswd)$">
    Require all denied
</FilesMatch>

# Block backup and config files
<FilesMatch "\.(bak|sql|log|ini|conf)$">
    Require all denied
</FilesMatch>

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# HTTPS redirect
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]