I've inherited with a web host which contains some sensitive files & directories like .svn, .htaccess and about 10 others. We are in the process of cleaning these up, but that may take a while. I want to prevent Apache from returning any information whatsoever regarding these files & directories. Ideally, I want to: 1. Force a "404 Not Found" for these files & directories 2. If "Options Indexes" is enabled, prevent these files & directories from being viewable from the parent directory. Each of these problems is easy to solve on it's own. I'm not sure the best way to solve both of these problem at once. I tried using 'RedirectMatch' (Recommended at http://stackoverflow.com/questions/398008/deny-access-to-svn-folders-on-apache/): RedirectMatch 404 .*/\.svn(/|$) This solves problem #1. The following will return a '404 Not Found' for .svn. However, if 'Options Indexes' is enabled, I can still see the .svn and .htaccess directories from the parent directory . Luckily, I cannot enter the .svn directory, because I get a '404 Not Found'. However, I don't want the webserver to show the existence of the .svn directory from the parent directory at all. So then, I tried using a "Deny from all", which we see in the default httpd.conf, and at http://subversion.apache.org/faq.html#website-auto-update # Disallow browsing of Subversion working copy administrative dirs. <DirectoryMatch "^/.*/\.svn/"> Order deny,allow Deny from all </DirectoryMatch> This prevents the .svn directory from appearing from the directory listing. The default behavior of "Deny from all" is to return '403 Forbidden'. This means that if I go to http://example.com/foo/.svn , I get a '403 Forbidden' which still provides a clue to potential hackers that the directory named '.svn' exists. I'd like to force a "404 Not Found" instead. The only solution that I have found is to simply use both of these two directives, like this: # Disallow browsing of Subversion working copy administrative dirs. <DirectoryMatch "^/.*/\.svn/"> Order deny,allow Deny from all </DirectoryMatch> # Also, force a "404 Not Found" for .svn itself. RedirectMatch 404 .*/\.svn(/|$) It works, but this seems a little redundant. Is there a better way to force a "404 Not Found", and prevent it from being listed in the parent directory, Thanks, -= Stefan -- Stefan Lasiewski http://stefanco.com --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx