Disable .htaccess with AllowOverride None
apache2.conf / httpd.conf<Directory /> AllowOverride None</Directory>
<Directory /var/www/html> AllowOverride None</Directory>Then move whatever the .htaccess files were doing into the main config, where
it belongs.
Why it matters
Section titled “Why it matters”.htaccess inverts the usual trust direction: anyone who can write a file into
a served directory can reconfigure the web server for that directory. They can
change authentication rules, add rewrites, set headers, and — depending on
AllowOverride — enable options the main config declined to.
That means a file upload bug, a compromised CMS plugin, or a shared-hosting tenant turns into partial control of httpd.
Apache 2.4.67 fixed exactly this, and worse. CVE-2026-24072 is a privilege
escalation in mod_rewrite: a user with write access to a .htaccess file could
craft an expression that caused httpd to read files outside that user’s own
directory, using the privileges of the httpd user account. On shared hosting
that is one customer reading another customer’s files — the boundary the whole
hosting model depends on.
AllowOverride None means .htaccess files are not read at all. The attack has
nowhere to land.
It’s also the performance answer
Section titled “It’s also the performance answer”Worth knowing because it’s what usually gets it changed:
With AllowOverride set to anything but None, Apache checks for .htaccess in
every directory along the path of every request — for /var/www/html/a/b/c.png
it stats /var/www/, /var/www/html/, /var/www/html/a/, and
/var/www/html/a/b/. On every single request. Apache’s own documentation
recommends avoiding it for this reason alone.
So this is the rare control that makes the server faster and safer at once. It’s not a trade-off; it’s just work.
What .htaccess is actually for
Section titled “What .htaccess is actually for”One thing: letting people who cannot edit the main config change server behaviour. That’s shared hosting, and there it’s a feature.
If you control the server — a VPS, a container, your own metal — you can edit the
main config, so .htaccess buys you nothing and costs you a re-check on every
request plus an attack surface. Move the directives:
# now: in the vhost, inside <Directory /var/www/html>RewriteEngine OnRewriteRule ^old-path$ /new-path [R=301,L]Identical behaviour, read once at startup instead of on every request.
If you are running shared hosting and genuinely need .htaccess, narrow it
rather than allowing everything:
AllowOverride FileInfo AuthConfig Limit # not: AllowOverride AllAnd keep httpd patched, because CVE-2026-24072 is precisely the shared-hosting scenario.
Related
Section titled “Related”- Keep Require all denied — the same block carries
AllowOverride None. - Disable unused modules — mod_rewrite is where CVE-2026-24072 lived.