Sometimes you’ll want to restrict access of your webpages to authorized people only, or to keep casual observers from stumbling across some semi-private info. One way to keep people from accessing your files or webpages is to use a method called HTTP Basic Authentication. In this article we’ll show you how to password-protect a folder and everything in it.
A standard login popup.
Caveats
HTTP Basic Authentication (“HTTP Auth” for short) is a simple, but not robust method for access control.
- It sends passwords unencrypted from the user to the server, easily readable by eavesdroppers.
- It requires some manual configuration on your side.
If you’re looking for non-technical or robust access controls, you’ll want to look into a content management system or other web software. But HTTP Auth is good enough for quick protection for not-so-secret things.
Password File
First, you’ll want to create a file that lists your users and their passwords. A password file is a simple text file. Here is an example:
john:7yHPZGcLvUFvs mary:xnre.ZESc8xAY dave:fAaGBmQB6mWRE
Each line contains the username, then a colon, then their encrypted password. You can add as many users as you want. Usernames and passwords are case sensitive — they must be typed exactly as you enter them!
To get the encrypted version of a password, use a tool like Htpasswd Generator.
Save this file and upload it to your website. A file name of “.htpasswd” is common, but it can be named anything. Files that begin with “.ht” are hidden on your website, but we recommend putting the file in your root folder, outside of the “html” folder, for extra safety.
(Note that most operating systems, including Windows and Mac OS X, don’t display files that begin with a period, so you may need to change your settings if you want to edit the file on your computer.)
Access File
Next, you have to create the file that actually limits access. This file should be named “.htaccess” and goes into the folder you want to protect. (If an .htaccess file already exists, simply add your stuff to the bottom.)
It should look something like this:
AuthType Basic AuthName "My Protected Area" AuthUserFile /var/www/yourdomain-com/.htpasswd Require valid-user
The “AuthType” line is required. It tells the server what kind of authentication you are using. It should not be changed.
The “AuthName” line contains the heading of the login box that is presented to the user. It provides the user with an idea of what is being protected.
The “AuthUserFile” contains the password file that you uploaded in the previous step. It must contain the full path to the file, which usually begins with “/var/www/yourdomain-com/”. (Replace “yourdomain-com” with your domain name. Hyphens replace the periods, so “yourdomain.com” becomes “yourdomain-com”.) In the above example, the .htpasswd file was uploaded to the root folder.
The final line tells the server to allow any access for any user in your password file (with the correct password). You could replace this line with “Require user john mary” if you only wanted to give access to some users.
You can also use the Htaccess Authentication tool to quickly create an access file.
Troubleshooting
Once you upload these two files, try loading the webpage or folder that you protected. You should get a login box asking for your username and password. If you get an “Internal Server Error” message, you typed something wrong — go back and double-check your work. A common error is using the wrong value for “AuthUserFile”.
Additional Information
- The htaccesstools.com website contains the file generators and other useful information.
- For the more technical people, here is the official documentation for the web server.