Page 1 of 1

Correct Permissions Settings for .htaccess and web.config

Posted: Tue Feb 19, 2019 2:30 pm
by Compositeur
A security update from Joomla stated:

-------

.htaccess & web.config security Update

Since version 3.9.3

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>

-------

1. Stupidly I deleted my original <.htaccess> and <web.config> files before uploading the edited ones. Now I don't know if the permissions I have set for the <.htaccess> and <web.config> files are correct. Both of these are currently set to '0644'. Is that correct?

2. I only found both those files together in the public_html folder. Is that the correct place to be fishing for and editing the <.htaccess> and <web.config> files?

Thanks in advance for any help guys! ;)

Re: Correct Permissions Settings for .htaccess and web.config

Posted: Tue Feb 19, 2019 4:45 pm
by Webdongle
644 for .htaccess

Re: Correct Permissions Settings for .htaccess and web.config

Posted: Tue Feb 19, 2019 4:54 pm
by sozzled
Your server may use one of the files (.htaccess or web.config), not both.

Apache: .htaccess
IIS: web.config
Nginx: nginx.conf

The files htaccess.txt or web.config.txt are not used by anything. They are "templates"—files that can be renamed to .htaccess or web.config—depending on the kind of web server software that you are using to host your website. There is a more detailed discussion about this at viewtopic.php?f=9&t=969694 if you are interested in these matters.

@Webdongle is right about the correct file permission for these things.

Re: Correct Permissions Settings for .htaccess and web.config

Posted: Fri Apr 19, 2019 8:24 am
by Compositeur
Thanks for the help Webdongle and sozzled.