On Wed, May 27, 2009 at 05:36:19PM -0700, John R Pierce wrote: > I've generally stuck them in an app specific directory, if your website > is all in /var/www, I'd probably stash them in a subdir of that. Just don't stick them under htdocs; or if you do then ensure there's an access control to prevent the web server from sending the contents of .htpasswd to a requesting evil person. -- rgds Stephen