Limiting what htaccess files can do in Apache

If you are running Apache 2.4 or greater (and there is a good chance you are these days), then you can make use of a new directive to control exactly which directives can go in the .htaccess files.

The directive is called AllowOverrideList and you can specify which directives you want to allow in .htaccess files with it. This may sound familiar to the AllowOverride directive, which tends to be configured as all or nothing, or rather None or All. It does provide some options for limiting what it can do, but it is not as fine grained as AllowOverrideList.

If you search for RewriteRule not working in htaccess the answer will almost always be something like this:

You need to change your httpd.conf from AllowOverride None to AllowOverride All

While the above certainly works, a better answer for old versions of Apache is to set AllowOverride FileInfo which enables all the mod_rewrite directives. But using AllowOverride FileInfo besides enabling the Rewrite directives, will also enable a bunch of other directives you probably don't need or want in your .htaccess files such as SetHandler, or SetInputFilter, and SetOutputFilter.

A better way to restrict htaccess

Now with Apache 2.4 we can add something like this to our httpd.conf files to only allow RewriteEngine and RewriteRule we can do this:

AllowOverride None
AllowOverrideList RewriteEngine RewriteRule

And that will limit what directives can go inside the htaccess file by their exact name. If I try for example to add an Options directive, I will get an error like this:

[Wed Sep 04 20:41:56.741898 2023] [core:alert] [pid 1382:tid 140461738030848] [client 127.0.0.1:37466] /var/www/dummy-host.example.com/.htaccess: Options not allowed here

The AllowOverrideList directive gives you precise control over what directives can go inside your .htaccess files, a much better solution than AllowOverride.