Correct Permissions Settings for .htaccess and web.config

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Post Reply
User avatar
Compositeur
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Sat May 25, 2013 6:11 pm
Location: London

Correct Permissions Settings for .htaccess and web.config

Post by Compositeur » Tue Feb 19, 2019 2:30 pm

A security update from Joomla stated:

-------

.htaccess & web.config security Update

Since version 3.9.3

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>

-------

1. Stupidly I deleted my original <.htaccess> and <web.config> files before uploading the edited ones. Now I don't know if the permissions I have set for the <.htaccess> and <web.config> files are correct. Both of these are currently set to '0644'. Is that correct?

2. I only found both those files together in the public_html folder. Is that the correct place to be fishing for and editing the <.htaccess> and <web.config> files?

Thanks in advance for any help guys! ;)

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37152
Joined: Sat Apr 05, 2008 9:58 pm

Re: Correct Permissions Settings for .htaccess and web.config

Post by Webdongle » Tue Feb 19, 2019 4:45 pm

644 for .htaccess
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
sozzled
Joomla! Champion
Joomla! Champion
Posts: 7335
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia
Contact:

Re: Correct Permissions Settings for .htaccess and web.config

Post by sozzled » Tue Feb 19, 2019 4:54 pm

Your server may use one of the files (.htaccess or web.config), not both.

Apache: .htaccess
IIS: web.config
Nginx: nginx.conf

The files htaccess.txt or web.config.txt are not used by anything. They are "templates"—files that can be renamed to .htaccess or web.config—depending on the kind of web server software that you are using to host your website. There is a more detailed discussion about this at viewtopic.php?f=9&t=969694 if you are interested in these matters.

@Webdongle is right about the correct file permission for these things.
https://www.kuneze.com/blog
Former member of Kunena project team
If you think I’m wrong then say “I think you're wrong.” If you say “You’re wrong!”, how do you know?

User avatar
Compositeur
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 166
Joined: Sat May 25, 2013 6:11 pm
Location: London

Re: Correct Permissions Settings for .htaccess and web.config

Post by Compositeur » Fri Apr 19, 2019 8:24 am

Thanks for the help Webdongle and sozzled.


Post Reply

Return to “Security in Joomla! 3.x”