At 12:04 AM 11/21/2002, Glenn wrote: >And now a question about the code: why bother checking for .htaccess files >outside of valid DocumentRoots (or UserDirs)? If you need to set directives >above the document root, create a <Directory> block in httpd.conf.
Apache checks whatever you ask it to. If your config includes the AllowOverrides none at the <Directory /> layer, and AllowOverrides x at the <Directory "{docroot}"> layer, it does exactly what you want. One server's docroot may be simply a node within another vhost. >Also for Apache 3.0, can AllowOverride None be the default? >It is a more secure default, besides providing better performance. Just as I said. You actually decrease security if the administrator has populated .htaccess files and you flip the default on them. I'm not against a commented out AllowOverrides None within the default <Directory /> block, explaining it's behavior and why one would enable that directive. Feel free to offer such a patch to the httpd-std.conf files. Bill