Starting a Web Project with .htaccess { 0 }
A few weeks ago I was pointed to an interesting article by Smashing Magazine (@smashingmag) about how leaving “.svn” folders on your web projects is a HUGE security risk! I have been using Subversion for source control for awhile now, but I never knew the impact of leaving “.svn” folders littered around a checked out project.
Normally when a project is checked out of Subversion, there is no problem at all. However if you decide to use Subversion to deploy your projects, like I do for the L-Train, then you need to either do an export (instead of checkout), or you need to make sure that anything inside a “.svn” folder is inaccessible to the web. I chose the later, since I like to be able to run svn commands against my checked out projects to see what files another co-worker has littered my projects with.
Here is my base .htaccess file that I use to block all traffic to “.svn” folders. It also disallows listing a folder’s directory if they do not have a default file to display.
[sourcecode language="sh"]
# disallow access to directory indexes
Options -Indexes
RewriteEngine On
# prevent all access to files inside subversion folders
RewriteRule ^(.*/)?.svn/ – [F,L]
ErrorDocument 403 “Access Forbidden”
[/sourcecode]
FYI – .htaccess files only work on Linux servers but I have no idea why you would use anything else. 
