By default Allow all access in .htaccess

[airbone42]

That's already very dangerous in Magento 1, so is there a chance that this will be changed?

Usually we set Allow/Deny-permissions by settings in the Apache-config, but this is totally overwritten by default in Magento and enables everyone to access the page, even if the server is just thought to be a staging server.

What's the reason for that?

[Wealth39]

Leave a comment

[verklov]

@airbone42, thank you for your question! The team will investigate on the issue. We will get back to you once we have an answer to share with you.

[verklov]

@airbone42, I just received the results of review for this issue. Below is the response:

As you can see from /.htaccess and /pub/.htaccess, by default we have the following configuration:

############################################
## By default allow all access

    Order allow,deny
    Allow from all

However, in Magento 2, we recommend setting DocumentRoot to the pub directory. Such manipulation will prevent direct access to Magento files from the web.

We cannot accept the proposed change as the default configuration we use is the same default configuration for the web server, which is a recommended setting.

We are closing this issue.

[airbone42]

HI @verklov,

thanks for the feedback. You're right it's the default configuration, especially because of that there's no sense in setting it again in the .htaccess file. But as soon as you change that configuration in Apache Magento will now override it again by this .htaccess file!

So if you want to protect your installation by ip or credentials (and I doubt we're the only agency who's protecting their testing installations that way) you have to modify core code (if we consider .htaccess as a core file).

I hope you can check this once more, with all this new information.

[verklov]

Let me talk to the developer once again and then respond to you.

[lazyguru]

I would much rather see htaccess removed from core altogether. It should be provided as a .htaccess.sample only (or have the installer generate one simialar to how applications like Wordpress do it). As an integrator it requires us to break the rule of "don't touch core" when we deploy client sites that require changes to htaccess. Additionally it makes upgrades require that we inspect the htaccess for changes and manually merge those in.

[FiveDigital]

+1 @lazyguru Additionally many Magento installations run on nginx where a .htaccess file is quite useless.