You do not need to modify the contents of htaccess.txt
Some people think that it’s important to edit (that is to change the contents of) one, or the other or both of the files htaccess.txt or web.config.txt. That’s a statement of fact. Some people really believe that!
The reason that this issue has recently become a hot discussion topic is because of the advisory notice that shipped as part of J! 3.9.3. The notice says in part,
Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.
The security teams recommends to manually apply the necessary changes to existing .htaccess or web.configJ! 3.9.3 announcement, Joomla Forum, 13-Feb-2019
If people think it's important to be able to edit (i.e. change the contents of) either (or both) the files htaccess.txt and/or web.config.txt then I am not going to dispute that belief. If it makes people feel better that they can edit either or both of these files when it suits them then so be it. I don’t want to make people feel unhappy.
If it makes you feel happier, you can even delete one or both of these two files, too. It won’t make any difference to how your Joomla website continues to operate but we need to unpick the security notice.
I replied to Brian Teeman to say that I wondered how many Joomla developers have seen the lengthy discussions on the Joomla forum as a result of that notice!
The first part of the notice states that “since Joomla 3.9.3, Joomla is shipped with additional security hardenings”. That’s not completely a completely true statement. It is true that Joomla is shipped with pre-configured htaccess file. It is also a requirement that this file needs to be renamed before the “additional security hardenings” take effect. The second part of the notice recommends making changes to one or other file that may already exist on your website; the second part does not mention having to change any .txt files. The problems are that the recommendation is clumsily worded.
There are a few thousand files created on your Joomla website when you first install it. There are also a few thousand files replaced when you update Joomla from one version to the next. Between the time when you first create Joomla and when you update it to a later version, if you deleted some files from your website, some files are re-created.
Replacing (or, in some cases, re-creating) some files when you update Joomla from one version to the next is neither a good thing nor a bad thing. It's just a “thing”. It’s just how the Joomla! Update component works.
As an example of some of the files that are always replaced when you update Joomla from one version to the next, here is a very short list of the ones that are located in the website’s root folder:
- htaccess.txt
- index.php
- LICENSE.txt
- README.txt
- robots.txt.dist
- web.config.txt
Therefore, if you feel the need to edit (that is, change the contents of) one or more of these files then remember that any changes you make to these files will be lost when you update Joomla to a later version. OK?
If you still feel that you must update one or more of these files then don't let me stop you but, please, don’t ask for my help if you want to edit/change the contents of these files.
This article is based on the author's previously published work at the Joomla forum.
