Implementing Access Controls with <Limit> Blocks

One of the most common ways to restrict access to web-based information is to protect it using usernames and passwords. Although different servers support many different ways of password-protecting web information, one of the most common techniques is with the <Limit> server configuration directive.

The <Limit> directive made its debut with the NCSA web server. Using <Limit>, you can control which files on your web server can be accessed and by whom. The NCSA server gives you two locations where you can place your access control information:

  • You can place the restrictions for any given directory (and all of its subdirectories) in a special file located in that directory. Normally, the name of this file is .htaccess, although you can change the name in the server’s configuration file.

  • Alternatively, you can place all of the access control restrictions in a single configuration file. In the NCSA web server, this configuration file is called access.conf. The Apache server allows you to place access control information in the server’s single httpd.conf file.

Whether you choose to use many access files or a single file is up to you. It is certainly more convenient to have a file in each directory. It also makes it easier to move directories within your web server, as you do not need to update the master access control file. Furthermore, you do not need to restart your server whenever you make a change to the access control list—the server ...

Get Web Security and Commerce now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.