This small extension to the apache configuration is part of the standard Drupal distribution. It starts with a dot, so it's considered hidden in unix-based systems. It's not really important, is it? Well, the truth is, it's one of the most important files. Recently we discovered that a pretty high profile Drupal-based site, forgot to deploy that small file, which enabled everyone to list the /sites/ directory. You could even get to the /sites/default directory, where there was a "backup" file of the settings.php with the database settings! Not having the .htaccess in your Drupal root is a security risk! What can we learn from this?
- Not having clean urls mostly means that .htaccess is not present
- When you're using version control (I mean... you do that, right?), make sure .htaccess is included in your repository (as I said, it's hidden, so normally
add *
won't do the trick alone!). - Apache has to enable AllowOverride, else .htaccess will be ignored
- If you're using a webserver other than Apache, make sure to use equivalent settings with the .htaccess. (My favorite one, nginx is covered here extensively.)