Stephen Harris wrote: > On Wed, May 27, 2009 at 05:36:19PM -0700, John R Pierce wrote: > >> I've generally stuck them in an app specific directory, if your website >> is all in /var/www, I'd probably stash them in a subdir of that. >> > > Just don't stick them under htdocs; or if you do then ensure there's an > access control to prevent the web server from sending the contents of > .htpasswd to a requesting evil person. > pretty much every default httpd.conf I've ever seen has had a access control blocking */.ht* but, i guess I hit send to soon, I didn't mean to put it in /var/www/httpd rather, in /var/www/somethingelse