From my www-auth paper (http://www.seifried.org/security/www-auth/):
Apache supports a wide variety of authentication methods, several of which can be considered "standard" and are typically included in vendor packages of Apache. You can assign security to files and directories with Apache, the configuration for this is either done in the central httpd.conf file or in the defined "AccessFileName". For example to make ".htaccess" files your access file you would add the following to httpd.conf: AccessFileName .htaccess And in order to prevent people from downloading these files you would add the following to your httpd.conf: <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> This means that any file starting with ".ht" (i.e. .htaccess, .htpasswd, .htgroup, .htfoobar) will not be sent if a client requests it. You will then need to configure Apache to allow for specific features, using the "AllowOverride" directive within a "<Directory"> configuration section. Typically the safest thing to do is define a "<Directory />" that disables everything and then enable features as needed on a per directory basis. For example to allow .htaccess files in /var/www/secure-area: <Directory /var/www/> AllowOverride AuthConfig Order allow,deny Allow from all </Directory> If your .htaccess file does not work and "AccessFileName" is defined then this is probably the problem. Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/