Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

bwallace's avatar

.htaccess File Containing Sensitive Info

I want to set up redirects within my application for specific clients, but I don't want to put these redirect rules into my /public/.htaccess file because I don't want the client names to be visible to users. Could there be any issues with creating another .htaccess file in my root folder and writing the rules in there?

0 likes
4 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

Creating a .htaccess file outside of the public directory (i.e., in the root folder of your application) will not work as you expect because the Apache server only processes .htaccess files that are within the document root (or within a directory that is accessible via a URL).

However, you can achieve your goal without exposing sensitive information by using environment variables or by setting the redirect rules in your server configuration file (e.g., httpd.conf or apache2.conf) if you have access to it. Here's how you can do it:

  1. Using Environment Variables: You can set environment variables in your Apache configuration and use them in your .htaccess file. This way, the sensitive information is stored in your server configuration, which is not publicly accessible.

    In your Apache configuration file, you can set an environment variable like this:

    SetEnv SPECIAL_CLIENT_REDIRECT "http://example.com/special-client"

    Then, in your /public/.htaccess file, you can use this environment variable in a rewrite rule:

    RewriteEngine On
RewriteCond %{ENV:SPECIAL_CLIENT_REDIRECT} !^$
RewriteRule ^special-client/? %{ENV:SPECIAL_CLIENT_REDIRECT} [R=302,L]

  2. Using Server Configuration: If you have access to the server configuration files, you can place your redirect rules there directly. This is more secure as the configuration files are not in a publicly accessible directory.

    In your Apache configuration file or a virtual host file, you can add the following:

    <VirtualHost *:80>
    ServerName yourdomain.com
    # Other configuration ...

    Redirect 302 /special-client http://example.com/special-client
</VirtualHost>

    This will perform the redirect at the server level without exposing the client name in the .htaccess file.

Remember to replace http://example.com/special-client with the actual URL you want to redirect to and yourdomain.com with your actual domain name.

Please note that if you use environment variables or server configuration files, you will need to have the appropriate permissions to modify these settings and you may need to restart Apache for the changes to take effect.

Snapey's avatar

Why not put the redirects in your routes file?

Snapey's avatar

besides, all my servers return an error if you try to access the .htaccess file

martinbean's avatar

@bwallace What do you mean, you don’t want client names to be visible to users? A user shouldn’t be able to see your .htaccess file in the first place, making this a non-issue.

Please or to participate in this conversation.