> Hi All, > > I would like to hear your idea's of what are the pros and cons if I will > set > a specific directive-type for AllowOverride like AuthConfig, > FileInfo,Indexes, Limit, and Options? Most security guidelines say no to Indexes. It's tolerable to do allow overrides an most things for a development box for developer convenience, but by the time a site gets to production (particularly outside-facing) pretty much anything worked out in .htaccess should be rolled into the httpd.conf. > I am just concern about security matters that will produce if I will give > the user full access on .htaccess (AllowOverride All) on their webroot? I would resist, or at minimum get support for not allowing it in QA and production. Something you can use for support is the CISecurity Apache Benchmark. It's downloadable for free from cisecurity.org. I just took a quick look and they recommend "AllowOverride None". Sheryl > > Thanks. > James > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx