Afternoon,<br>   I&#39;m the paranoid type and so after installing and setting up my lovely new drupal site I decided that, with all due respect, I&#39;d feel much more comfortable restricting access to the /admin section with an apache password prompt. I&#39;m sure you&#39;ve done a very good job and adhered to best practices and got it all implemented right but unfortunately my day job involves on-line casinos and lots of other peoples money and hence I am a fully signed-up, card-carrying member of the tin-foil hat wearing security brigade ;^)<br>
   Anyway, I looked about and couldn&#39;t find anyone who&#39;d implemented this, not on google or this list so I thought I&#39;d share it with you so that I could get some more eyes over it and in case you wanted to add it to you apache config somewhere..<br>
<br>&quot;<br>    RewriteEngine on<br>    RewriteCond %{QUERY_STRING} q=admin [NC,OR]<br>    RewriteCond %{REQUEST_URI} ^/admin$ [NC]<br>    RewriteRule  (.*) $1 [E=admin_request:1]<br><br>    &lt;Files *&gt;<br>        Order Deny,Allow<br>
        Deny from env=admin_request<br><br>        AuthName &quot;Drupal Admin&quot;<br>        AuthType Basic<br>        AuthUserFile /somepath/somewhere/apache.htdigest.user<br><br>        Require user philip.mather<br>
        Satisfy any<br>    &lt;/Files&gt;<br>&quot;<br><br>...it&#39;s not the most trivial of things to implement unless you&#39;ve used mod_rewrite a fair bit, you&#39;ll also need mod_env as well, and perhaps others about to request such a feature will find this before posting. Appologies if this is a repeat or considered off-topic. It should and does (from my testing anyway) catch both the elegant and full URL forms. If anyone spots any problems with it let me know and feel free to re-use it but obviously there&#39;s no warranty what-so-ever, you could probably adapt the same to restrict other pages as well I guess.<br clear="all">
<br>-- <br>Regards,<br>   Phil<br>