.htaccess is the default name for a file that is used to indicate who can or cannot access the contents of a specific file directory from the Internet or an intranet. The .htaccess file is a configuration file that resides in a directory and indicates which users or groups of users can be allowed access to the files contained in that directory.

.htaccess was introduced as a directory-level, user authentication method along with the original programs developed for retrieving Web pages over the Internet, such as Hypertext Transfer Protocol daemon. When users type in a Uniform Resource Locator (the name of a Web site they want to go to), the URL begins with "http://". This command is recognized by the underlying Web server software program, HTTPd (for HyperText Transfer Protocol daemon). (A daemon is a program that sits waiting for requests for other programs.)

The main access control file used by HTTPd is the global access configuration file, which often resides at the root directory of the HTTPd server. .htaccess files are additional, directory-level access control files used by HTTPd.

When the HTTPd server receives a user's request for a document, it looks in the document's own directory, as well as higher up in the chain of directories for these types of access control files. If it finds .htaccess, it will look there to see whether or not the user is allowed to access the file. Based on the information it finds, it may ask the user for his or her user name and password first, before sending the requested document.

.htaccess is the default file name used by HTTPd when no other name has been indicated in the HTTPd server's resource configuration file, srm.conf. Another file name can be specified in this file, under the AccessFileName <file>line, where <file> would normally indicate .htaccess or another name. (In Netscape servers, this file name is called .nsconfig, and uses a different syntax from .htaccess.)


Whether or Not to Use .htaccess

.htaccess is often used in settings where a group network administrator wants to control who views or changes the contents of the directories that relate to his or her groups or users. In these settings, it is not practical or advisable to give the administrator primary access to all of the HTTPd server's functions, and all of its other directories and configuration files. Having the local-level control provided by .htaccess files allows more flexibility for the administrator to create and change directory access controls, as needed.

Some disadvantages to using .htaccess files have been noted: If an organization has several hundred .htaccess files on several hundred directories, each granting or denying user access to their own contents, it is more difficult for the company's network administrators to prepare a global access or authentication strategy and keep up with changes. Also, .htaccess files can be overwritten very easily, causing problems for users who once could access a directory's contents, but now cannot. Finally, .htaccess files are more likely to be opened or retrieved by unauthorized users.

This was last updated in April 2005

Dig Deeper on Network protocols and standards