Author Topic: Blocking .htaccess for PCI Compliance  (Read 2960 times)

0 Members and 1 Guest are viewing this topic.

Blocking .htaccess for PCI Compliance
« on: December 07, 2020, 05:49:25 PM »
So, I recently scanned my server for PCI compliance, and it failed.  One of the reasons that it failed was due to a bunch of htaccess files that contain authentication information.

Here is what the scan results state:

.htaccess contains authentication information.

Unauthorized users can gather authentication information from this file.

Change the Apache configuration so the .htaccess file cannot be accessed via the Internet.

When I visit one of the urls they claim is giving access to .htaccess ( ), I can access the file.

I have tried everything that I can think of to prevent this.

In httpd.conf I have this code (which was already there):

<Files ".ht*">
    Require all denied

That was in there by default, but it doesn't block access.  So, I tried adding this code, as per a suggection I found, to httpd.conf:

<Files .htaccess>
   <IfModule mod_authz_core.c>
      Require all denied
   <IfModule !mod_authz_core.c>
      Deny from all

That also didn't block access.  I read something where someone said put the above code into the .htaccess file. So, I did a search for all .htaccess file via ssh, and found the one I was pretty sure is the one downloads at ./usr/local/cwpsrv/var/services/roundcube/. I added the code, and it still downloads.  I check the file, and it did have the new code in it, so I know I found the correct one.

I also read that I can just disable .htaccess by having AllowOverride None in my httpd.conf, but it was already in my httpd.conf file, and it doesn't do anything.

So, how do I block access to these?  Nothing makes sense to me!

I should also note, that I am using just straight apache 2.4.39.  No Varnish or NGINX