By default Apache denies access to files whose name begins with .ht
, such as .htaccess
:
<Files ~ "^\.ht">
Require all denied
</Files>
But I notice that many files use the prefix .
, like .gitignore
. I think this file does not do any harm, but I still think that the use of the dot in the prefix is "strongly" directed to configuration files. I think it might be interesting to deny access to these files in general by doing something like:
RewriteEngine On
# Checa se o arquivo existe
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_FILENAME} -f
# Emite status HTTP 403
RewriteRule ^(\.|/\.) - [F,L]
In IIS maybe something like:
<rule name="Redirect to routes" stopProcessing="true">
<conditions>
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
</conditions>
<match url="^(\.|/\.)" ignoreCase="false" />
<action type="AbortRequest" />
</rule>
Add the file check because if the file does not exist it should issue 404 instead of 403.
Would this be a "good use" , or maybe .
as a prefix have other uses besides configuration files?
If this is the case then you would swap for a "group" of file types:
(^|/)\.(git|gitignore|yml|svn)$