By default Apache configuration file (/etc/apache2/apache2.conf
) is as follows:
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
And we can set AllowOverride
to All
, to allow overriding Apache configs per directory. I am wondering if this might cause security issues.
Beyond the obvious security problems of allowing configuration modifications in a public document root there is also a performance impact. What happens with AllowOverride is that Apache will do an open() call on each parent directory from the requested file onward.
Security Issues? Well, not really if a hacker gets ahold of DOC ROOT then your screwed anyway.
But Requests where AllowOverride was turned off were executed at 60% of the time of the ones where AllowOverride was turned on. Instead it will generally be better to take those changes in .htaccess and place them in your httpd configuration file.
However what .htaccess provides you is utmost flexibility by letting you control your website behavior, authentication needs without need to make those changes in Apache config and restart it every time. Especially in a shared hosting environments Apache config is not even accessible for website owners.