Home » Tutorials » Website Security

Unlimited Password Protection with .htaccess

In many tutorials explaining the usage of Apache's Basic Authentication scheme via htaccess files, you will see an example such as this:

AuthType basic
AuthName "Secure Area"
AuthUserFile /etc/httpd/conf/.htpasswd
<Limit GET POST>
   Require user admin
</Limit>

For some reason, the myth that usage of the Limit directive was required for Basic Authentication has persisted since the early days of web sites and web hosting.

But not only is it entirely unnecessary, it can actually reduce the effectiveness of your password authentication scheme, putting your security at risk.

In the example above, we are limiting the password protection to HTTP GET and POST requests only. This means that for any other type of HTTP request, there is no password protection at all.

You may wonder what other request methods exist other than the web application stalwarts GET and POST. A quick browse through the HTTP standard reveals no less than six other methods: OPTIONS, HEAD, PUT, DELETE, TRACE, CONNECT.

While not all of these methods will necessarily be implemented by your Apache installation, it is clearly an insecure - and unnecessary - risk to take.

Removing the Limit directive from the above example leaves us with:

AuthType basic
AuthName "Secure Area"
AuthUserFile /etc/httpd/conf/.htpasswd
Require user admin

Which is all you need to securely password protect your web site. 

See Also

• The Basics of Password Protection Learn about Apache's Basic Authentication scheme to password protect parts of your website.