An important first line of defence for you website is the handling of HTTP Requests by the web server. A number of common attacks such as Cross-Site Scripting, Local File Inclusion and SQL Injection all start with transmission of hostile commands via the HTTP Request. The challenge is separating legitimate requests from the hostile or malicious ones.
For a website hosted on an Apache server, there is a powerful mechanism available to help – the Apache htaccess file. Use of an appropriately configured htaccess file on a server with mod_rewrite can provide a robust defence against many HTTP Request attacks. This posting examines the types of rules that can be implemented and their role in protecting your website.
So what is an .htaccess file?
An .htaccess file is a plain text file containing a list of configuration directives (rules). These rules are processed by the Apache webserver. A site can have more than one htaccess file, on more complex sites this allows for distributed configuration instructions, i.e. specific instructions may be applied at individual directory level. The htaccess file will be read on every HTTP Request submitted to the webserver, this is very helpful as changes to this file can therefore take immediate effect.
Will my hosting provider let me use an htaccess file?
If your website is hosted on an Apache server your hosting company should allow the use of htaccess files. These files provide a number of important mechanisms to support websites.
If your host does not allow the use of htaccess files, if you plan to run a Joomla website – change your hosting provider to one that does.
What types of rules can the file contain?
The common security related processing directives (rules) the file may contain include:
- Authorisation or authentication – username/password control at directory level;
- Blocking – use of allow/deny rules to block users by IP address or domain;
- Customised error responses – defining the response to a server side error, e.g. page not found (404);
- Directory listing – rules on what to do if a directory rather than a page is requested (and there is no index.html in the directory);
- URL Rewriting – evaluating and processing the submitted HTTP Request, can be used for a number of purposes including search engine optimisation (SEO), redirection of moved content, and security processing of the Request.
How can I protect my Joomla! website?
The standard Joomla! installation includes an .htaccess file. It is in the root directory of the site and following installation will be named htaccess.txt rather than .htaccess so that it is not automatically activated. Before using the file you need to check whether your host allows the use of htaccess files and has enabled the Apache mod_rewrite module. Instructions on how to perform this check can be found here. If mod_rewrite is enabled on your server then you can use the pre-configured file simply by renaming it from htaccess.txt to .htaccess.
From a site protection perspective what does this file do?
For HTTP Requests that meet the security processing directives, the htaccess file will block the requests and redirect them to your site’s homepage with a 403 (Forbidden) error. The preconfigured directives are designed to block out any script trying to:
- set a mosConfig value through the URL – mosConfig variables are global variables in Joomla! 1.0, they are not used in Joomla! 1.5 core code although a number of extensions that originated under Joomla! 1.0 still use them;
- submit base64_encode data via the URL – this technique is used by hackers to inject or conceal code which they hope to execute on your server;
- set a PHP GLOBALS variable via URL – attempts to set or change a Global variable – for a properly configured server, the PHP directive register_globals should be turned off, if it is not turned off, this directive prevents access to GLOBALS variables via the URL;
- modify a _REQUEST variable via URL – attempts to set or change a Request variable, these are variables associated with the HTTP Request. This directive prevents access to REQUEST variables via the URL;
Can this protection be improved on?
Yes, the Joomla! documentation website includes a page on htaccess examples. Under the heading “Other useful settings” there are a number of additional directives which may be used to enhance your site’s security. The Joomla! website does not currently explain these directives, but we have analysed them and posted an article explaining the enhanced htaccess directives.
If you want to significantly improve the security of your website, a properly configured .htaccess file provides a powerful mechanism to prevent many common exploits using HTTP Requests. At a minimum it is worth implementing the pre-configured version available as part of the core Joomla installation. But you should consider using an enhanced htaccess file to increase the protection to further reduce the risks.