Best practices securing HTTP/HTTPS (continued)...


Other sources of dynamic content

mod_php, mod_perl, mod_tcl, mod_python, etc..., run under the identity of the server itself, and therefore scripts executed by these engines potentially can access anything the server user can.  Some scripting engines may provide restrictions, but it is better to be safe and assume not.

Protecting System Settings

To run a really tight ship, you'll want to stop users from setting up .htaccess files which can override security features you've configured. One way of accomplishing this is to add the following to the server configuration file:

<Directory />
AllowOverride None
</Directory>

This prevents the use of .htaccess files in all directories apart from those explicitly enabled.