Is there a security difference between storing files outside of the DocumentRoot versus "deny from all" htaccess directives?

Question

Knowing that a deny from all directive will traverse all sub-directories and files below it, and ignoring the obvious caveats of "if you forget" to copy the .htaccess file or if you typo creating an .htaccess file...

Is there a risk in security between storing non-public files outside of the DocumentRoot versus placing an .htaccess file with a deny from all directive in each non-public directory in the DocumentRoot?

Answer 1

There are a few things to consider here:

1. .htaccess is only going to protect your file from access over the web. For example, suppose you have a typical FTP server setup with virtual users who are restricted to the document root. If an attacker gains access to your FTP server (which is not that far-fetched given how insecure most FTP configurations are), they will have access to both the .htaccess file and any of your protected files that are in the document root.

   That was just one example that may not apply to your environment, but the idea that I'm really trying to get at is that .htaccess files don't give you that much depth in your security. They protect you in one context (access over the Internet) but not in others.

2. Your server administrator has the ability to disable specific .htaccess directives, to disable certain Apache modules (which your .htaccess file may use), and even to disable the use of .htaccess files period. If you don't have control over your Apache configuration (which I'm assuming is the case since you're choosing to overwrite it with an .htaccess file), you also don't really have control over whether your .htaccess file is going to be respected. It really comes down to your relationship with your host/server administrator and what they decide to allow.

3. Finally, if the .htaccess file is writable by the user your Apache server is running as, a determined hacker can modified that file. Ex. if you're using Wordpress, many popular themes will demand write access to the .htaccess file so that they can control URL rewriting. I'd imagine some other Content Management Systems do the same.

With all that said, using an .htaccess file (or directly altering your Apache configuration files) may still be a perfectly valid security measure for you. It depends on what your environment as a whole looks like -- how your server is configured, what you're trying to protect, etc. Hopefully I at least gave you some things to think about.