Skip to content

Is it safe to set AllowOverride all on /var/www/ directory in production?

By default Apache configuration file (/etc/apache2/apache2.conf) is as follows:

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted

And we can set AllowOverride to All, to allow overriding Apache configs per directory. I am wondering if this might cause security issues.



Beyond the obvious security problems of allowing configuration modifications in a public document root there is also a performance impact. What happens with AllowOverride is that Apache will do an open() call on each parent directory from the requested file onward.

Security Issues? Well, not really if a hacker gets ahold of DOC ROOT then your screwed anyway.

But Requests where AllowOverride was turned off were executed at 60% of the time of the ones where AllowOverride was turned on. Instead it will generally be better to take those changes in .htaccess and place them in your httpd configuration file.

However what .htaccess provides you is utmost flexibility by letting you control your website behavior, authentication needs without need to make those changes in Apache config and restart it every time. Especially in a shared hosting environments Apache config is not even accessible for website owners.

User contributions licensed under: CC BY-SA
10 People found this is helpful