Skip to content

Disable .htaccess with AllowOverride None

Severity: highApplies to: Apache httpd 2.4.xApplies to: Apache httpd 2.4.68
The fixapache2.conf / httpd.conf
<Directory />
AllowOverride None
</Directory>
<Directory /var/www/html>
AllowOverride None
</Directory>

Then move whatever the .htaccess files were doing into the main config, where it belongs.

.htaccess inverts the usual trust direction: anyone who can write a file into a served directory can reconfigure the web server for that directory. They can change authentication rules, add rewrites, set headers, and — depending on AllowOverride — enable options the main config declined to.

That means a file upload bug, a compromised CMS plugin, or a shared-hosting tenant turns into partial control of httpd.

Apache 2.4.67 fixed exactly this, and worse. CVE-2026-24072 is a privilege escalation in mod_rewrite: a user with write access to a .htaccess file could craft an expression that caused httpd to read files outside that user’s own directory, using the privileges of the httpd user account. On shared hosting that is one customer reading another customer’s files — the boundary the whole hosting model depends on.

AllowOverride None means .htaccess files are not read at all. The attack has nowhere to land.

Worth knowing because it’s what usually gets it changed:

With AllowOverride set to anything but None, Apache checks for .htaccess in every directory along the path of every request — for /var/www/html/a/b/c.png it stats /var/www/, /var/www/html/, /var/www/html/a/, and /var/www/html/a/b/. On every single request. Apache’s own documentation recommends avoiding it for this reason alone.

So this is the rare control that makes the server faster and safer at once. It’s not a trade-off; it’s just work.

One thing: letting people who cannot edit the main config change server behaviour. That’s shared hosting, and there it’s a feature.

If you control the server — a VPS, a container, your own metal — you can edit the main config, so .htaccess buys you nothing and costs you a re-check on every request plus an attack surface. Move the directives:

/var/www/html/.htaccess
# now: in the vhost, inside <Directory /var/www/html>
RewriteEngine On
RewriteRule ^old-path$ /new-path [R=301,L]

Identical behaviour, read once at startup instead of on every request.

If you are running shared hosting and genuinely need .htaccess, narrow it rather than allowing everything:

AllowOverride FileInfo AuthConfig Limit # not: AllowOverride All

And keep httpd patched, because CVE-2026-24072 is precisely the shared-hosting scenario.