Best practices securing HTTP/HTTPS (continued)... Protect Server Files by Default One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients. For instance, consider the following example: # cd $HOME/public_html; ln -s /* . Accessing http://localhost/~$USER/. This would allow clients to walk through the entire file system. To work around this, add the following block to your server's configuration: Order Deny,Allow Deny from all This will forbid default access to file system locations.