Using a .htaccess file

To ensure that your web directory is secure, you can install a restriction file called .htaccess. A .htaccess file allows you to protect your webpage, site, or directory from being accessed by unwanted public users. This file will prevent web access by anyone who does not have permission to view your site.

There are three types of .htaccess access restriction methods commonly used on the main NYU web server:

Need Help?

Creating the .htaccess file

It is very important that the .htaccess file be created without introducing any extra characters. For example, return characters at the end of each line or symbols in place of quotation marks. Individual commands in the .htaccess file are meant to be on one line only. Therefore, be sure that the text editor you use has word-wrap turned off. Also, when you upload the file to your site, it must be in ASCII (text) mode (not binary). You may need to change the permissions on the .htaccess file to 644 or (rw-r--r--).This makes the file usable by the webserver, but prevents it from being read by a web browser. Please see our tutorial on UNIX file permissions for more information.

Creating the file

In order to create the file, open up a text editor and save an empty page as .htaccess (or type in one character, as some editors will not let you save an empty page). Chances are that your editor will append its default file extension to the name (i.e. - for Notepad it would call the file .htaccess.txt). You need to remove the .txt (or other) file extension before you can upload the file to your site. On a PC, you can do this by right clicking on the file and renaming it (remove any default suffix that has been appended). You can also rename the file when you upload it through SSH or your SFTP program. Again, if you are using Notepad, remember to disable the word wrap function.

The .htaccess file may also be created right on the server if you are familiar with the UNIX text editor vi.  When creating the file in this manner, you will need to be within the directory that you wish to protect.

File placement

The .htaccess file will affect the directory in which it is placed, as well as all subdirectories. If the .htaccess file exists, the restrictions described in the file are followed before any content is sent to the requesting user. For example, if your site is:


the .htaccess file would be placed within this root directory and would affect all files within, for example:


Make sure that this is what you wish to accomplish before putting the .htaccess file in place. You might only want to protect a subdirectory of your main site. For example, a directory called "private":


So you would put the .htaccess file into the "private" directory. Again, this only restricts access to the contents of the directory "private".

To ensure that the authentication to the area that you have restricted is secure, make sure that any links you use, publish or distribute for logging in are formatted as https, such as:


Restriction options

Deny or allow certain domains

This is useful for internal documents. You could deny access to anybody outside the NYU network or, for instance, allow access for only the machines in the NYU Information Technology (NYU IT) subnet. An example of this type of .htaccess restriction on is the Purchasing Services website: you cannot access specific information unless you have an NYU IP address.

Implement a password scheme

Using this method, an individual will be prompted for a username and password when they go to your site. Keep in mind that this username and password to access your site will NOT be the NYU NetID/password combination - you will assign the usernames and passwords yourself.

Require an NYU NetID and password

Using this method, an individual will be prompted for their NetID and NetID password when they go to your site. However, all the people you want to have access to the directory must have an NYU NetID.

Important Note

Don't forget to test! When you implement one of these schemes, it's very important that you test it carefully, simulating both denied and allowed access. Go to the URL of the part of your site that you've restricted and enter in the appropriate information combination. Remember, once you've logged in successfully, you'll need to quit and restart your browser in order to test again.