Apache 1.3.6 (SuSE 6.2) Hello, the folloging lines in "httpd.conf" should "prevent .htaccess files from being viewed by Web clients" as the comment says: |<Files .htaccess> |Order allow,deny |Deny from all |</Files> But it IS viewable for people having PASSED the login-window in the Web client. (For failed login, it works ok.) I have a line "AllowOverride All" in the "http.conf"; the ".htaccess" file contains the following: |deny from all |AuthType Basic |AuthUserFile /usr/local/httpd/htpasswd.users |AuthName "Intranet" |require valid-user |satisfy any Is it a bug in design? How can I prevent the ".htaccess" file from being viewable to people passed the login? Thanks Bernd