Password protect directories

This FAQ provides instructions on securing the Origen Cms /backend/ directory on Apache servers using the htpasswd utility. These instructions can be adapted for securing other directories as well. If you need assistance locating or creating your .htaccess file, please refer to the following steps:

Caveat

Basic authentication should not be considered secure by rigorous security standards. While the password is stored on the server in encrypted format, it is transmitted as plain text over the network from the client to the server. This means that anyone monitoring network traffic with a packet sniffer can intercept and read the username and password.

It's important to note that the username and password are sent with every request, not just during the initial login. Therefore, a packet sniffer doesn't need to capture the credentials at a specific moment; it can capture them at any time while the request is being transmitted.

Furthermore, the content itself is also transmitted in plain text over the network. If the website contains sensitive information, a packet sniffer can access that information, even if the username and password are not used directly to gain access to the website.

Basic authentication should not be used for anything that requires robust security. It can be easily compromised by individuals with malicious intent, as it doesn't provide strong protection. However, when used over an SSL connection, basic authentication can be secure, as the entire communication, including the username and password, is encrypted.

Directions

1. If you are not familiar with the Apache htpasswd utility, we recommend reading the Apache Authentication and Authorization page for an overview.

2. Verify that your site is configured to use .htaccess files. If you are unsure, consult your hosting provider.

3. Determine the location for your .htaccess file. Apache searches all directories in a path recursively for .htaccess files. Placing the file higher in the directory structure will allow it to control more directories. If there is already an existing .htaccess file in the chosen directory, it is best to add the new code to that file.

4. Decide where to store your .htpasswd and .htgroups files. These files should never be accessible through the web. Here is an example directory structure that demonstrates suitable locations for each file. Note that the /auth/ directory in this example is not accessible from the web:

   • /home/mysite/public_html/.htaccess
   • /home/mysite/auth/.htpasswd/
   • /home/mysite/auth/.htgroups/

5. Create the .htpasswd and .htgroups files according to the instructions provided in the official Apache HowTo referenced above.

6. If a .htaccess file already exists in the chosen directory, make a backup copy of it. If the file does not exist, create a new file with that name (don't forget the dot at the beginning).

7. Add the following code to the .htaccess file, adjusting the example paths (marked in red) to match your server's configuration. Modify the group name created in step 5 if it differs from the example below:

   AuthUserFile /home/auth/.htpasswd
   AuthGroupFile /home/auth/.htgroups
   AuthType Basic
   AuthName "LWS"
   require group admins
   ```
   

8. Test the setup thoroughly.

If you are unable to use the Apache htpasswd utility, there is a free .htaccess generator available that can create the necessary files for you. You will need to provide the username, password, and path information, and the script will generate the files. Note that for more advanced configurations, such as using groups, you may need to manually edit the generated files.