In addition to performance issues, using the .htaccess configuration method carries with it some serious security issues. First, unless you explicitly prevent it, clients can see the .htaccess file. You can close this loophole by adding the following lines to Apache's configuration file:

<files .htaccess>
order allow,deny
deny from all
</files>

You should replace the .htaccess entry in the listing above with whichever filename you use for the purpose.

The second security concern arises with the Web owner. .htaccess files are typically used on servers supporting a large number of users, where each user has his or her own Web site under /home/httpd/~username. Allowing .htaccess files in the user's document root, enables the Web owner to tailor various configuration options permitted within their own document tree. This also opens up the possibility of the Web owner adding options to their .htaccess file that could possibly compromise server policy or security (for example, server-side includes or the execution of CGI scripts).

To run a tight ship, the webmaster should always ensure the following block is present in httpd.conf:

<Directory />
AllowOrderride none
Options None
Order deny,allow
Deny from all
</Directory>

Doing this effectively locks down the server to any of the aforementioned performance and security concerns. Then, depending on policy, the webmaster can "unlock" one or more specific options either through global block statement (say, for the /home/httpd/~username directories) or by adding a directive to individual <Virtual Host> blocks. For a list of options available for the option directive, please see the Apache documentation. You can find Apache's online documentation (depending on layout) in the DocumentRoot/manual directory in HTML format or on the Web (see Further resources for the link).