Problem/Motivation

As most seasoned Drupal users know, there are many possible pitfalls when beginning to work with Drupal. As a new user, you might edit the code in core, put contrib modules in the wrong folder, or in both web/modules as well as web/core/modules folder, etc. Another potential pitfall is editing .htaccess, most commonly to redirect from the www to the non-www domain, or vice versa.

Whereas it is possible to edit .htaccess, it should not be recommended, since it is very important to allow the .htaccess file to be updated, if there is a security update.

If or when the .htaccess file has been over-written after an update, figuring out why a web site, or something else stopped working can be quite difficult.

Proposed resolution

To avoid this situation, it would help to change the mental image of the .htaccess file from "Here is a configurable file, and how to do it", to more of a "It's possible, but not recommended".

Remaining tasks

  1. Add warning in the .htaccess file to not edit it, explaining why.
  2. Document alternative solutions on setting web root folder and redirecting, and link to them. For example:
    1. Server-level (Apache, Nginx, etc.)
    2. Redirect to HTTPS and www/non-www with settings.php
    3. More?

Comments

ressa created an issue. See original summary.

cilefen’s picture

cilefen commented
Related issues: +#3092563: Avoid overwriting .htaccess changes during scaffolding > security problem

Site owners should patch .htaccess.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.