Forum Topic: Question on hierarchy of htaccess files

Forum: .htaccess Forum : Security • Posted by gardenho • Updated:

Years ago I read that if you put an htaccess file in a lower level folder but still wanted to keep all the rules applied from the root folder you had to repeat all those rules in addition to the new rule, which applies to that folder alone. From what I'm reading it doesn't sound like this is the case now.

My particular concern is images folders. In the root I have this rule for preventing hotlinking:

# stop hot linking to files
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?facebook\.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?paypal\.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|pdf|ico)$ - [F,NC]

In the images folder I have an htaccess file with the above, in addition to:

# Prevents any script files from being accessed from the images folder
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
   Order Deny,Allow
   Deny from all

Do I need to repeat the hotlinking rules from the root htaccess in the images folder htaccess or am I good to go with just this rule that applies to this folder only in it?

1 Reply to “Question on hierarchy of htaccess files”

Jeff Starr
Posted by Jeff Starr

.htaccess works in cascading fashion, so any rules in the root .htaccess file should be applied to all sub-directories. You can verify this by puttin something like

RedirectMatch 403 testing123

in the root .htaccess, and then requesting something like this

should lead to a 403 Forbidden.