Showing results for 
Search instead for 
Did you mean: 

Securing .htaccess

Securing .htaccess

 Magereport says The "/var" path appears unprotected (cacheleak).  The instructions on how to fix it state that a .htaccess file needs to be "under /var" - this is confusing to me.  I have an .htaccess file in /var/www/html/magento/app/ so technically, this is "under" /var.  I'm running CentOS 5 and I'm not sure how to fix the problem.  Can someone please help?


Thank you.



Re: Securing .htaccess

On a server running Apache2 for its web server, access to various subdirectories in the Magento directory tree are protected with .htaccess files that have default deny set to prevent public access to that directory and all the subdirectories.


There are quite a few of these .htaccess files throughout. The one in var/ is created automatically by Magento. If it is not being read and obeyed, you need to set allowoverride all in the .htaccess file in your document root. If this doesn't work, then you need to study up on running Apache securely before proceeding.


If you're using nginx because somebody told you it was faster, you need to figure out how to translate all those Apache2 .htaccess files into nginx's eqivalent setup file.


magento/var/ is not the same as magento/app/, it's beside magento/app/ The reading of .htaccess files by Apache2 is a top-down cascade. Directories without them default to whatever is up above on the way to document root, not sitting beside.

Re: Securing .htaccess

I'm running Apache.


"The one in var/ is created automatically by Magento. If it is not being read and obeyed,"  How would I go about determining if it's being read and obeyed?


"There are quite a few of these .htaccess files throughout."  -A locate turns up 3. All underneath 

/var/www/html/magento/ - in various subdirectories.


"you need to set allowoverride all in the .htaccess file in your document root" - My Document Root is in fact 

/var/www/html/magento/.  This is a webserver dedicated to Magento.  There is NO .htaccess file directly within the document root.  It's in 





Re: Securing .htaccess


Re: Securing .htaccess

OK I see where you are getting confused. There are two "/var" directories and you are talking about the one in your file system root which is "/var" whereas Magereport is talking about the one in the Apache Document root, which for your installation would be "/var/www/html/magento/var/". 

Basically MageReport cannot see anything higher in your filestructure than "/var/www/html/magento" so when it talks about "/var" it is talking about "/var/www/html/magento/var". Does this make sense to you? 



What you need to solve your problem is the correct .htaccess file to be placed in the "/var/www/html/magento/" folder. It is a common mistake to copy files across to the document root for Apache using "cp -r * /var/www/html/magento/" command and not realize that that command leaves out the critical .htaccess file from your originally copying folder to the Apache document root. 

Go look in the folder you originally checked out or unzipped Magento to. In there, you will see a .htaccess file that is not in your Document root. Copy it to your document root at "/var/www/html/magento/and you should be on your way. If that was actually your problem, make sure you set you SELinux permissions on the files you copied to your document root too, as Apache and Centos will throw a fit if they are not set properly.

Subscribe to my Magento Security Podcast
Tags (2)

Re: Securing .htaccess

OK, I've copied the .htaccess file from the original Magento installation directory per recommendations.  It now resides in "/var/www/html/magento/var"  Permissions are set to 644 for that file.  Owner and group are: 

-rw-r--r--. 1 apache root 5667 Jan 19 09:44 .htaccess

Magereport is STILL showing an unprotected /var path.

Re: Securing .htaccess

Your .htaccess file should be in "/var/www/html/magento/" folder. You placed it in the "/var/www/html/magento/var" folder. I know these can get confusing sometimes. Smiley Very Happy

Subscribe to my Magento Security Podcast

Re: Securing .htaccess

It actually is in /var/www/html/magento/   I'm sorry, I incorrectly added the /var in my post above.  


[root@webserver var]# locate .htaccess

Re: Securing .htaccess

I never got a resolution to this.  From what I can tell, my .htaccess file is in the correct locaiton.  Anyone able to help?

Re: Securing .htaccess


 Is it possible that your Apache setup isn't configured to use .htaccess files? 


(Generic Example) In the httpd.conf file there would be



<Directory "/var/www/html">
AllowOverride all



I think on new apache installs that defaults to AllowOverride none


Where the Directory /var/www/html would be wherever your website is located.