.htaccess Information Leak

The .htaccess file is an Apache Web Server configuration file that controls URL rewriting, authentication, access restrictions, and other server behavior for the directory in which it resides. When this file is directly accessible to clients, it exposes the server’s internal security configuration.

An exposed .htaccess file reveals authentication rules, IP-based access restrictions, rewrite logic, and protected directory paths. An attacker can use this information to identify which areas of the application are considered sensitive, discover hidden endpoints, and craft requests that bypass the intended access controls. If the file contains credential hashes for HTTP Basic Authentication, these can be cracked offline.

Configure the web server to deny access to .htaccess files. In Apache, add a directive such as <FilesMatch "^\.ht">Require all denied</FilesMatch> to the server configuration. Ideally, move the directives from .htaccess into the main server configuration and disable .htaccess overrides entirely with AllowOverride None.