Is there any security or operational problems if I do not have any .htaccess file in drupal root?

Solutions

Adding to what MPD said, I think there are other two important parts in the .htacess file provided by Drupal:

  • File caching Drupal says to the browser which files must be cached and how long.

    # Requires mod_expires to be enabled.
    <IfModule mod_expires.c>
      # Enable expirations.
      ExpiresActive On
    
      # Cache all files for 2 weeks after access (A).
      ExpiresDefault A1209600
    
      <FilesMatch \.php$>
        # Do not allow PHP scripts to be cached unless they explicitly send cache
        # headers themselves. Otherwise all scripts would have to overwrite the
        # headers set by mod_expires if they want another caching behavior. This may
        # fail if an error occurs early in the bootstrap process, and it may cause
        # problems if a non-Drupal PHP file is installed in a subdirectory.
        ExpiresActive Off
      </FilesMatch>
    </IfModule>
    
  • Serving compressed JavaScript, and CSS files
    Drupal is able to return to the browser compressed files.

    # Rules to correctly serve gzip compressed CSS and JS files.
    # Requires both mod_rewrite and mod_headers to be enabled.
    <IfModule mod_headers.c>
      # Serve gzip compressed CSS files if they exist and the client accepts gzip.
      RewriteCond %{HTTP:Accept-encoding} gzip
      RewriteCond %{REQUEST_FILENAME}\.gz -s
      RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
    
      # Serve gzip compressed JS files if they exist and the client accepts gzip.
      RewriteCond %{HTTP:Accept-encoding} gzip
      RewriteCond %{REQUEST_FILENAME}\.gz -s
      RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
    
      # Serve correct content types, and prevent mod_deflate double gzip.
      RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
      RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
    
      <FilesMatch "(\.js\.gz|\.css\.gz)$">
        # Serve correct encoding type.
        Header set Content-Encoding gzip
        # Force proxies to cache gzipped & non-gzipped css/js files separately.
        Header append Vary Accept-Encoding
      </FilesMatch>
    </IfModule>
    

Those directives don't protect from security issues, but they increase the performance of the web site.
You can put those directives in a configuration file read from http.conf, if you have access to those files.

Generally speaking, removing the .htaccess file from the Drupal root directory is not a good idea, except when you can move those directive in another file.

You may have some problems, depending on how Apache is configured.

People may be able to browse directly to some hidden files. Look at lines 6 and 73 in the .htaccess to see what it restricts.

People may be able to browse directories directly. See line 10.

The site may not work right if you accidentally put a file called index.html in the root. Line 20 makes index.php the primary file.

Clean URLs won't work. I am not 100% sure if image cache will, either.

There may be some PHP security issue, but the php_flag directives have been standard settings in php.ini for a several years now.

Are you on shared hosting? If so, the problem with the .htaccess could be the Options lines. Some hosts restrict these. Everything else should be feature checked the the <IfModule> directives.

It is possible to not have a .htaccess in the DOCROOT by placing the contents into the Apache config for the site, or in an include. On high volume sites, there are some performance gains from doing this (.htaccess is read each request, where Apache config is read once when it starts).

Similar questions

Is there any security consideration with webform and Salesforce API?
We are implementing the Salesforce webform module for our client and they are asking us if there are any security issues to consider by having SOAP installed on their server. (The Salesforce API requires SOAP to be installed for drupal to communicate with it.)
Are there any security concerns with getting the UID by simply querying the sessions table against the visitor's cookie?
In the High Performance JavaScript Callback Handler I'm attempting to use my own code to get the current user's ID. To give a quick rundown, by returning data at a much lower bootstrap level (DRUPAL_BOOTSTRAP_DATABASE) I can return a page in ~90 milliseconds instead of the ~1500 milliseconds that a full bootstrap takes on this server. For simple co...
Clean URL/.htaccess problems with multiple subdirectories
I've inherited a large Drupal web site and now we're updating from Drupal 6 to Drupal 7. I cannot enable CleanURL for more than one subdirectory at a time! I think I've read just about every article on CleanURLs there is, and possibly my situation is unique, or maybe I'm going about things wrong? We have a couple versions live on our web site using...
Are there any Drupal modules that allow you to select a template to use for output or are there any modular content editing interfaces?
I'm doing some work for a design agency and I'm looking into how I can achieve their fanciful designs using Drupal. In particular I'm worried about the formate of their blog posts, it's quite clear that what they want is not going to be satisfied by any kind of WYSIWYG editor. So I'm left with two options:
How can you have Composer install the site in the project root not in web/?
I have downloaded Drupal 8.8 through composer drupal/recommended-project. The downloaded files structure is diff than previous download. Now core and other files are stored in web folder and vendor is out of core. So my question is how to setup site in public_html/. I have uploaded files entire files under public_html/ but site not works. I also tr...
admin/commerce/products/add page says "You have not created any product types yet" when I have
Somehow, the Drupal Commerce page at admin/commerce/products/add is failing to recognise that I have product types and is giving this misleading error: You have not created any product types yet. Go to the product type creation page to add a new product type. From reading this discussion and a look at the code here it looks like the Commerce module...

Also ask

We use cookies to deliver the best possible experience on our website. By continuing to use this site, accepting or closing this box, you consent to our use of cookies. To learn more, visit our privacy policy.