A few weeks back, I updated two websites (which run on my ISPs’ Apache servers) to use various features which improve the experience for users of the site. These features include:
- Server side includes (SSI).
- Changing the default web page.
- Providing custom error messages.
- Redirecting clients where pages have changed.
- Preventing listing the contents of certain directories.
- Denying access to certain files.
All of these features (and more) may be controlled on an Apache server using a file called .htaccess, which is intended for users who do not have access to the server configuration to make configuration changes on a per-directory basis.
In general, where access to the server configuration is available, then changes should be made at the server level; however in a hosted environment, .htaccess allows content providers to make their own configuration without affecting other users of the server.
Administrators should be made aware that enabling .htaccess on a server does incur a performance hit as Apache will look in every directory on the path for an .htaccess file, and will load the file, whether or not the directives contained within .htaccess are relevant to the HTTP request. For this reason, some ISPs may prohibit the use of .htaccess.
Microsoft Internet Information Server (IIS) does not have an equivalent to .htaccess and all configuration must be carried out using the various IIS administration tools (along with an appropriate organisational security model).