On Wed, Sep 20, 2017 at 6:36 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > Provided AllowOverride is None, and AllowOverrideList does not include > "<Limit", the server should be protected, but I haven't played with > this theory; https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
I tested this and indeed the server is protected. This is IMHO the rigth way to control the content of .htaccess files from httpd.conf (i.e. a white-list).