How to Deny Access to Sensitive Configuration Files Using .htaccess

When building and maintaining a website, security should always be a top priority. One of the most overlooked yet critical aspects of web security is ensuring that sensitive files—such as configuration files—are not accessible to the public via a browser.

For example, a file like config.cfg might contain database credentials, API keys, or other confidential information. If not properly protected, someone could simply type http://www.yourdomain.com/config.cfg into a browser and access the contents of this file. This kind of vulnerability can lead to data breaches, website defacement, or even full server compromise.

Fortunately, if you’re using Apache web hosting (as is the case with most shared hosting plans, including those from AvaHost), you can easily secure such files using the.htaccess file.

What is .htaccess?

The .htaccess file is a configuration file used by the Apache web server to apply directory-level settings without needing to modify the main server configuration. It is especially useful for things like:

  • Enabling or disabling directory listing

  • Setting up redirects

  • Enforcing HTTPS

  • Controlling access to specific files or folders

In our case, we’ll use .htaccess to deny direct access to .cfg files.

How to Protect Configuration Files

✅ Step 1: Locate the Directory

Navigate to the directory that contains your sensitive files — for example, the same folder where config.cfg is stored. This is usually inside your website’s document root (/public_html/, /www/, or similar).

✅ Step 2: Create or Edit the .htaccess File

If there is already a .htaccess file in this directory, open it. If not, create a new file and name it .htaccess (yes, with the dot at the beginning).

✅ Step 3: Add the Security Rules

Insert the following directives into the file:

<FilesMatch "\.(cfg)$">
Order allow,deny
Deny from all
</FilesMatch>What This Means:

<FilesMatch “\.(cfg)$”> — Targets all files ending in .cfg

  • Order allow,deny — Sets the rule precedence (Apache 2.2 syntax)

  • Deny from all — Denies all web access to matched files

As a result, any attempt to open config.cfg directly from a browser will return a 403 Forbidden error.

📌 Note: If you’re using Apache 2.4+, you may need to use this modern syntax instead:

<FilesMatch "\.(cfg)$">
Require all denied
</FilesMatch>

AvaHost & Security

At AvaHost, we offer full .htaccess support and give you complete control over your hosting environment. Whether you’re hosting a small personal site or managing critical business data, you can rely on our secure and flexible infrastructure to protect what matters.

Need help securing your site? Our support team is here 24/7 to assist with configurations, security hardening, and best practices.