Why Apache .htaccess files are evil

Evil? Wow, that’s a bit strong. Besides, everybody loves Apache and their .htaccess files! Don’t they? Well, I’m not so keen. I think there are two important issues with Apache. Firstly, out of the box (as it were), it comes badly configured. For anyone wanting to dip their toes in server building and administration, they will soon find their server down and out for the count as it OOMs (Out Of Memory)¬†into oblivion. That’s a subject for another day.

Secondly, I believe that .htaccess files are bad. It’s like giving your three-year old the keys to your house. Yes, it certainly will be easier for you; your child can decide when to come and go without having to interrupt your day. But you really don’t know just when they will give the key to a dodgy so-and-on with thieving¬†intentions

Web servers form part of the host configuration and set up. They direct and manage traffic to and from the server. Who should tell it how it does that? The system administrator. Giving control of the w server to its applications is intrinsically wrong.

Allowing applications to control how the server works, can certainly make peoples’ live’s easier. The pay off, though, is that it makes the sever less secure. To make a simile, it would be like getting rid of passports and border control, or being more exact, it would be like letting every individual person decide what the border controls are and what verifies their passport as being a document that uniquely identifies them. People could just make anything up. Well, on a server, that is what .htaccess files allow you to do.

Personally I no longer support .htaccess files. Just like border control and passports are worth the¬†encumbrance, so is disabling .htaccess (or just not using Apache at all). And I find that gradually, they aren’t missed. It is just a shame that I have to put the time and effort into effectively working around an issue that should not exist¬†in the first place.

Published by


Open Source Architect (Web Geek)