Override Class Index for .htaccess
This is an index of the directives that are allowed in .htaccess files for various AllowOverride
settings, organized by class. Its intended purpose is to help server administrators verify the privileges they're granting to .htaccess users. For an overview of how .htaccess works, see the .htaccess tutorial.
To determine the set of directives that your server configuration allows .htaccess users to use:
- Start with the set of directives in the
AllowOverrideList
for the directory in question. (By default, this is set toNone
.) - Find the
AllowOverride
setting for the directory in question. (By default, it is set toNone
.) There are two special cases:- If your
AllowOverride
setting isAll
, add every directive listed on this page to the list. - If your
AllowOverride
setting isNone
, you're done. Only the directives in theAllowOverrideList
(if any) will be allowed.
- If your
- For each override class listed in
AllowOverride
, look up the corresponding set of directives below and add them to the list. - Finally, add the set of directives that is always allowed in .htaccess (these are listed in the All section, below).
Several of the override classes are quite powerful and give .htaccess users a large amount of control over the server. For a stricter approach, set AllowOverride None
and use AllowOverrideList
to specify the exact list of directives that .htaccess users are allowed to use.
All
The following directives are allowed in any .htaccess file, as long as overrides are enabled in the server configuration.
<Else> | core |
Contains directives that apply only if the condition of a previous <If> or <ElseIf> section is not satisfied by a request at runtime | |
<ElseIf> | core |
Contains directives that apply only if a condition is satisfied by a request at runtime while the condition of a previous <If> or <ElseIf> section is not satisfied | |
<Files> | core |
Contains directives that apply to matched filenames | |
<FilesMatch> | core |
Contains directives that apply to regular-expression matched filenames | |
<If> | core |
Contains directives that apply only if a condition is satisfied by a request at runtime | |
<IfDefine> | core |
Encloses directives that will be processed only if a test is true at startup | |
<IfDirective> | core |
Encloses directives that are processed conditional on the presence or absence of a specific directive | |
<IfFile> | core |
Encloses directives that will be processed only if file exists at startup | |
<IfModule> | core |
Encloses directives that are processed conditional on the presence or absence of a specific module | |
<IfSection> | core |
Encloses directives that are processed conditional on the presence or absence of a specific section directive | |
<IfVersion> | mod_version |
contains version dependent configuration | |
LimitRequestBody | core |
Restricts the total size of the HTTP request body sent from the client | |
LimitXMLRequestBody | core |
Limits the size of an XML-based request body | |
LogIOTrackTTFB | mod_logio |
Enable tracking of time to first byte (TTFB) | |
LuaCodeCache | mod_lua |
Configure the compiled code cache. | |
LuaHookAccessChecker | mod_lua |
Provide a hook for the access_checker phase of request processing | |
LuaHookAuthChecker | mod_lua |
Provide a hook for the auth_checker phase of request processing | |
LuaHookCheckUserID | mod_lua |
Provide a hook for the check_user_id phase of request processing | |
LuaHookFixups | mod_lua |
Provide a hook for the fixups phase of a request processing | |
LuaHookInsertFilter | mod_lua |
Provide a hook for the insert_filter phase of request processing | |
LuaHookLog | mod_lua |
Provide a hook for the access log phase of a request processing | |
LuaHookMapToStorage | mod_lua |
Provide a hook for the map_to_storage phase of request processing | |
LuaHookTranslateName | mod_lua |
Provide a hook for the translate name phase of request processing | |
LuaHookTypeChecker | mod_lua |
Provide a hook for the type_checker phase of request processing | |
LuaInherit | mod_lua |
Controls how parent configuration sections are merged into children | |
LuaMapHandler | mod_lua |
Map a path to a lua handler | |
LuaPackageCPath | mod_lua |
Add a directory to lua's package.cpath | |
LuaPackagePath | mod_lua |
Add a directory to lua's package.path | |
LuaQuickHandler | mod_lua |
Provide a hook for the quick handler of request processing | |
LuaRoot | mod_lua |
Specify the base path for resolving relative paths for mod_lua directives | |
LuaScope | mod_lua |
One of once, request, conn, thread -- default is once | |
RLimitCPU | core |
Limits the CPU consumption of processes launched by Apache httpd children | |
RLimitMEM | core |
Limits the memory consumption of processes launched by Apache httpd children | |
RLimitNPROC | core |
Limits the number of processes that can be launched by processes launched by Apache httpd children | |
ServerSignature | core |
Configures the footer on server-generated documents | |
SSIErrorMsg | mod_include |
Error message displayed when there is an SSI error | |
SSITimeFormat | mod_include |
Configures the format in which date strings are displayed | |
SSIUndefinedEcho | mod_include |
String displayed when an unset variable is echoed |
AuthConfig
The following directives are allowed in .htaccess files when AllowOverride AuthConfig
is in effect. They give .htaccess users control over the authentication and authorization methods that are applied to their directory subtrees, including several related utility directives for session handling and TLS settings.
Anonymous | mod_authn_anon |
Specifies userIDs that are allowed access without password verification | |
Anonymous_LogEmail | mod_authn_anon |
Sets whether the password entered will be logged in the error log | |
Anonymous_MustGiveEmail | mod_authn_anon |
Specifies whether blank passwords are allowed | |
Anonymous_NoUserID | mod_authn_anon |
Sets whether the userID field may be empty | |
Anonymous_VerifyEmail | mod_authn_anon |
Sets whether to check the password field for a correctly formatted email address | |
AuthBasicAuthoritative | mod_auth_basic |
Sets whether authorization and authentication are passed to lower level modules | |
AuthBasicFake | mod_auth_basic |
Fake basic authentication using the given expressions for username and password | |
AuthBasicProvider | mod_auth_basic |
Sets the authentication provider(s) for this location | |
AuthBasicUseDigestAlgorithm | mod_auth_basic |
Check passwords against the authentication providers as if Digest Authentication was in force instead of Basic Authentication. | |
AuthDBMGroupFile | mod_authz_dbm |
Sets the name of the database file containing the list of user groups for authorization | |
AuthDBMType | mod_authn_dbm |
Sets the type of database file that is used to store passwords | |
AuthDBMUserFile | mod_authn_dbm |
Sets the name of a database file containing the list of users and passwords for authentication | |
AuthDigestAlgorithm | mod_auth_digest |
Selects the algorithm used to calculate the challenge and response hashes in digest authentication | |
AuthDigestDomain | mod_auth_digest |
URIs that are in the same protection space for digest authentication | |
AuthDigestNonceLifetime | mod_auth_digest |
How long the server nonce is valid | |
AuthDigestProvider | mod_auth_digest |
Sets the authentication provider(s) for this location | |
AuthDigestQop | mod_auth_digest |
Determines the quality-of-protection to use in digest authentication | |
AuthFormAuthoritative | mod_auth_form |
Sets whether authorization and authentication are passed to lower level modules | |
AuthFormProvider | mod_auth_form |
Sets the authentication provider(s) for this location | |
AuthGroupFile | mod_authz_groupfile |
Sets the name of a text file containing the list of user groups for authorization | |
AuthLDAPAuthorizePrefix | mod_authnz_ldap |
Specifies the prefix for environment variables set during authorization | |
AuthLDAPBindAuthoritative | mod_authnz_ldap |
Determines if other authentication providers are used when a user can be mapped to a DN but the server cannot successfully bind with the user's credentials. | |
AuthLDAPBindDN | mod_authnz_ldap |
Optional DN to use in binding to the LDAP server | |
AuthLDAPBindPassword | mod_authnz_ldap |
Password used in conjunction with the bind DN | |
AuthLDAPCompareAsUser | mod_authnz_ldap |
Use the authenticated user's credentials to perform authorization comparisons | |
AuthLDAPCompareDNOnServer | mod_authnz_ldap |
Use the LDAP server to compare the DNs | |
AuthLDAPDereferenceAliases | mod_authnz_ldap |
When will the module de-reference aliases | |
AuthLDAPGroupAttribute | mod_authnz_ldap |
LDAP attributes used to identify the user members of groups. | |
AuthLDAPGroupAttributeIsDN | mod_authnz_ldap |
Use the DN of the client username when checking for group membership | |
AuthLDAPInitialBindAsUser | mod_authnz_ldap |
Determines if the server does the initial DN lookup using the basic authentication users' own username, instead of anonymously or with hard-coded credentials for the server | |
AuthLDAPInitialBindPattern | mod_authnz_ldap |
Specifies the transformation of the basic authentication username to be used when binding to the LDAP server to perform a DN lookup | |
AuthLDAPMaxSubGroupDepth | mod_authnz_ldap |
Specifies the maximum sub-group nesting depth that will be evaluated before the user search is discontinued. | |
AuthLDAPRemoteUserAttribute | mod_authnz_ldap |
Use the value of the attribute returned during the user query to set the REMOTE_USER environment variable | |
AuthLDAPRemoteUserIsDN | mod_authnz_ldap |
Use the DN of the client username to set the REMOTE_USER environment variable | |
AuthLDAPSearchAsUser | mod_authnz_ldap |
Use the authenticated user's credentials to perform authorization searches | |
AuthLDAPSubGroupAttribute | mod_authnz_ldap |
Specifies the attribute labels, one value per directive line, used to distinguish the members of the current group that are groups. | |
AuthLDAPSubGroupClass | mod_authnz_ldap |
Specifies which LDAP objectClass values identify directory objects that are groups during sub-group processing. | |
AuthLDAPUrl | mod_authnz_ldap |
URL specifying the LDAP search parameters | |
AuthMerging | mod_authz_core |
Controls the manner in which each configuration section's authorization logic is combined with that of preceding configuration sections. | |
AuthName | mod_authn_core |
Authorization realm for use in HTTP authentication | |
AuthnCacheProvideFor | mod_authn_socache |
Specify which authn provider(s) to cache for | |
AuthnCacheTimeout | mod_authn_socache |
Set a timeout for cache entries | |
AuthType | mod_authn_core |
Type of user authentication | |
AuthUserFile | mod_authn_file |
Sets the name of a text file containing the list of users and passwords for authentication | |
AuthzDBMType | mod_authz_dbm |
Sets the type of database file that is used to store list of user groups | |
CGIPassAuth | core |
Enables passing HTTP authorization headers to scripts as CGI variables | |
LDAPReferralHopLimit | mod_ldap |
The maximum number of referral hops to chase before terminating an LDAP query. | |
LDAPReferrals | mod_ldap |
Enable referral chasing during queries to the LDAP server. | |
<Limit> | core |
Restrict enclosed access controls to only certain HTTP methods | |
<LimitExcept> | core |
Restrict access controls to all HTTP methods except the named ones | |
Require | mod_authz_core |
Tests whether an authenticated user is authorized by an authorization provider. | |
<RequireAll> | mod_authz_core |
Enclose a group of authorization directives of which none must fail and at least one must succeed for the enclosing directive to succeed. | |
<RequireAny> | mod_authz_core |
Enclose a group of authorization directives of which one must succeed for the enclosing directive to succeed. | |
<RequireNone> | mod_authz_core |
Enclose a group of authorization directives of which none must succeed for the enclosing directive to not fail. | |
Satisfy | mod_access_compat |
Interaction between host-level access control and user authentication | |
Session | mod_session |
Enables a session for the current directory or location | |
SessionEnv | mod_session |
Control whether the contents of the session are written to the HTTP_SESSION environment variable | |
SessionHeader | mod_session |
Import session updates from a given HTTP response header | |
SessionInclude | mod_session |
Define URL prefixes for which a session is valid | |
SessionMaxAge | mod_session |
Define a maximum age in seconds for a session | |
SSLCipherSuite | mod_ssl |
Cipher Suite available for negotiation in SSL handshake | |
SSLRenegBufferSize | mod_ssl |
Set the size for the SSL renegotiation buffer | |
SSLRequire | mod_ssl |
Allow access only when an arbitrarily complex boolean expression is true | |
SSLRequireSSL | mod_ssl |
Deny access when SSL is not used for the HTTP request | |
SSLUserName | mod_ssl |
Variable name to determine user name | |
SSLVerifyClient | mod_ssl |
Type of Client Certificate verification | |
SSLVerifyDepth | mod_ssl |
Maximum depth of CA Certificates in Client Certificate verification |
FileInfo
The following directives are allowed in .htaccess files when AllowOverride FileInfo
is in effect. They give .htaccess users a wide range of control over the responses and metadata given by the server.
AcceptPathInfo | core |
Resources accept trailing pathname information | |
Action | mod_actions |
Activates a CGI script for a particular handler or content-type | |
AddCharset | mod_mime |
Maps the given filename extensions to the specified content charset | |
AddDefaultCharset | core |
Default charset parameter to be added when a response content-type is text/plain or text/html
| |
AddEncoding | mod_mime |
Maps the given filename extensions to the specified encoding type | |
AddHandler | mod_mime |
Maps the filename extensions to the specified handler | |
AddInputFilter | mod_mime |
Maps filename extensions to the filters that will process client requests | |
AddLanguage | mod_mime |
Maps the given filename extension to the specified content language | |
AddOutputFilter | mod_mime |
Maps filename extensions to the filters that will process responses from the server | |
AddOutputFilterByType | mod_filter |
assigns an output filter to a particular media-type | |
AddType | mod_mime |
Maps the given filename extensions onto the specified content type | |
BrowserMatch | mod_setenvif |
Sets environment variables conditional on HTTP User-Agent | |
BrowserMatchNoCase | mod_setenvif |
Sets environment variables conditional on User-Agent without respect to case | |
CGIMapExtension | core |
Technique for locating the interpreter for CGI scripts | |
CGIVar | core |
Controls how some CGI variables are set | |
CharsetDefault | mod_charset_lite |
Charset to translate into | |
CharsetOptions | mod_charset_lite |
Configures charset translation behavior | |
CharsetSourceEnc | mod_charset_lite |
Source charset of files | |
CookieDomain | mod_usertrack |
The domain to which the tracking cookie applies | |
CookieExpires | mod_usertrack |
Expiry time for the tracking cookie | |
CookieName | mod_usertrack |
Name of the tracking cookie | |
CookieStyle | mod_usertrack |
Format of the cookie header field | |
CookieTracking | mod_usertrack |
Enables tracking cookie | |
DefaultLanguage | mod_mime |
Defines a default language-tag to be sent in the Content-Language header field for all resources in the current context that have not been assigned a language-tag by some other means. | |
DefaultType | core |
This directive has no effect other than to emit warnings if the value is not none . In prior versions, DefaultType would specify a default media type to assign to response content for which no other media type configuration could be found. | |
EnableMMAP | core |
Use memory-mapping to read files during delivery | |
EnableSendfile | core |
Use the kernel sendfile support to deliver files to the client | |
ErrorDocument | core |
What the server will return to the client in case of an error | |
FileETag | core |
File attributes used to create the ETag HTTP response header for static files | |
ForceLanguagePriority | mod_negotiation |
Action to take if a single acceptable document is not found | |
ForceType | core |
Forces all matching files to be served with the specified media type in the HTTP Content-Type header field | |
Header | mod_headers |
Configure HTTP response headers | |
ISAPIAppendLogToErrors | mod_isapi |
Record HSE_APPEND_LOG_PARAMETER requests from ISAPI extensions to the error log | |
ISAPIAppendLogToQuery | mod_isapi |
Record HSE_APPEND_LOG_PARAMETER requests from ISAPI extensions to the query field | |
ISAPIFakeAsync | mod_isapi |
Fake asynchronous support for ISAPI callbacks | |
ISAPILogNotSupported | mod_isapi |
Log unsupported feature requests from ISAPI extensions | |
ISAPIReadAheadBuffer | mod_isapi |
Size of the Read Ahead Buffer sent to ISAPI extensions | |
LanguagePriority | mod_negotiation |
The precedence of language variants for cases where the client does not express a preference | |
MultiviewsMatch | mod_mime |
The types of files that will be included when searching for a matching file with MultiViews | |
PassEnv | mod_env |
Passes environment variables from the shell | |
QualifyRedirectURL | core |
Controls whether the REDIRECT_URL environment variable is fully qualified | |
Redirect | mod_alias |
Sends an external redirect asking the client to fetch a different URL | |
RedirectMatch | mod_alias |
Sends an external redirect based on a regular expression match of the current URL | |
RedirectPermanent | mod_alias |
Sends an external permanent redirect asking the client to fetch a different URL | |
RedirectTemp | mod_alias |
Sends an external temporary redirect asking the client to fetch a different URL | |
RemoveCharset | mod_mime |
Removes any character set associations for a set of file extensions | |
RemoveEncoding | mod_mime |
Removes any content encoding associations for a set of file extensions | |
RemoveHandler | mod_mime |
Removes any handler associations for a set of file extensions | |
RemoveInputFilter | mod_mime |
Removes any input filter associations for a set of file extensions | |
RemoveLanguage | mod_mime |
Removes any language associations for a set of file extensions | |
RemoveOutputFilter | mod_mime |
Removes any output filter associations for a set of file extensions | |
RemoveType | mod_mime |
Removes any content type associations for a set of file extensions | |
RequestHeader | mod_headers |
Configure HTTP request headers | |
RewriteBase | mod_rewrite |
Sets the base URL for per-directory rewrites | |
RewriteCond | mod_rewrite |
Defines a condition under which rewriting will take place | |
RewriteEngine | mod_rewrite |
Enables or disables runtime rewriting engine | |
RewriteOptions | mod_rewrite |
Sets some special options for the rewrite engine | |
RewriteRule | mod_rewrite |
Defines rules for the rewriting engine | |
ScriptInterpreterSource | core |
Technique for locating the interpreter for CGI scripts | |
SetEnv | mod_env |
Sets environment variables | |
SetEnvIf | mod_setenvif |
Sets environment variables based on attributes of the request | |
SetEnvIfExpr | mod_setenvif |
Sets environment variables based on an ap_expr expression | |
SetEnvIfNoCase | mod_setenvif |
Sets environment variables based on attributes of the request without respect to case | |
SetHandler | core |
Forces all matching files to be processed by a handler | |
SetInputFilter | core |
Sets the filters that will process client requests and POST input | |
SetOutputFilter | core |
Sets the filters that will process responses from the server | |
Substitute | mod_substitute |
Pattern to filter the response content | |
SubstituteInheritBefore | mod_substitute |
Change the merge order of inherited patterns | |
SubstituteMaxLineLength | mod_substitute |
Set the maximum line size | |
UnsetEnv | mod_env |
Removes variables from the environment |
Indexes
The following directives are allowed in .htaccess files when AllowOverride Indexes
is in effect. They allow .htaccess users to control aspects of the directory index pages provided by the server, including autoindex generation.
AddAlt | mod_autoindex |
Alternate text to display for a file, instead of an icon selected by filename | |
AddAltByEncoding | mod_autoindex |
Alternate text to display for a file instead of an icon selected by MIME-encoding | |
AddAltByType | mod_autoindex |
Alternate text to display for a file, instead of an icon selected by MIME content-type | |
AddDescription | mod_autoindex |
Description to display for a file | |
AddIcon | mod_autoindex |
Icon to display for a file selected by name | |
AddIconByEncoding | mod_autoindex |
Icon to display next to files selected by MIME content-encoding | |
AddIconByType | mod_autoindex |
Icon to display next to files selected by MIME content-type | |
DefaultIcon | mod_autoindex |
Icon to display for files when no specific icon is configured | |
DirectoryCheckHandler | mod_dir |
Toggle how this module responds when another handler is configured | |
DirectoryIndex | mod_dir |
List of resources to look for when the client requests a directory | |
DirectoryIndexRedirect | mod_dir |
Configures an external redirect for directory indexes. | |
DirectorySlash | mod_dir |
Toggle trailing slash redirects on or off | |
ExpiresActive | mod_expires |
Enables generation of Expires headers | |
ExpiresByType | mod_expires |
Value of the Expires header configured by MIME type | |
ExpiresDefault | mod_expires |
Default algorithm for calculating expiration time | |
FallbackResource | mod_dir |
Define a default URL for requests that don't map to a file | |
HeaderName | mod_autoindex |
Name of the file that will be inserted at the top of the index listing | |
ImapBase | mod_imagemap |
Default base for imagemap files | |
ImapDefault | mod_imagemap |
Default action when an imagemap is called with coordinates that are not explicitly mapped | |
ImapMenu | mod_imagemap |
Action if no coordinates are given when calling an imagemap | |
IndexHeadInsert | mod_autoindex |
Inserts text in the HEAD section of an index page. | |
IndexIgnore | mod_autoindex |
Adds to the list of files to hide when listing a directory | |
IndexIgnoreReset | mod_autoindex |
Empties the list of files to hide when listing a directory | |
IndexOptions | mod_autoindex |
Various configuration settings for directory indexing | |
IndexOrderDefault | mod_autoindex |
Sets the default ordering of the directory index | |
IndexStyleSheet | mod_autoindex |
Adds a CSS stylesheet to the directory index | |
MetaDir | mod_cern_meta |
Name of the directory to find CERN-style meta information files | |
MetaFiles | mod_cern_meta |
Activates CERN meta-file processing | |
MetaSuffix | mod_cern_meta |
File name suffix for the file containing CERN-style meta information | |
ReadmeName | mod_autoindex |
Name of the file that will be inserted at the end of the index listing |
Limit
The following directives are allowed in .htaccess files when AllowOverride Limit
is in effect. This extremely narrow override type mostly allows the use of the legacy authorization directives provided by mod_access_compat
.
Allow | mod_access_compat |
Controls which hosts can access an area of the server | |
Deny | mod_access_compat |
Controls which hosts are denied access to the server | |
<Limit> | core |
Restrict enclosed access controls to only certain HTTP methods | |
<LimitExcept> | core |
Restrict access controls to all HTTP methods except the named ones | |
Order | mod_access_compat |
Controls the default access state and the order in which Allow and Deny are evaluated. |
Options
The following directives are allowed in .htaccess files when AllowOverride Options
is in effect. They give .htaccess users access to Options
and similar directives, as well as directives that control the filter chain.
CheckCaseOnly | mod_speling |
Limits the action of the speling module to case corrections | |
CheckSpelling | mod_speling |
Enables the spelling module | |
ContentDigest | core |
Enables the generation of Content-MD5 HTTP Response headers | |
FilterChain | mod_filter |
Configure the filter chain | |
FilterDeclare | mod_filter |
Declare a smart filter | |
FilterProtocol | mod_filter |
Deal with correct HTTP protocol handling | |
FilterProvider | mod_filter |
Register a content filter | |
Options | core |
Configures what features are available in a particular directory | |
ReflectorHeader | mod_reflector |
Reflect an input header to the output headers | |
SSLOptions | mod_ssl |
Configure various SSL engine run-time options | |
XBitHack | mod_include |
Parse SSI directives in files with the execute bit set |
© 2018 The Apache Software Foundation
Licensed under the Apache License, Version 2.0.
https://httpd.apache.org/docs/2.4/en/mod/overrides.html