Is there any security or operational problems if I do not have any .htaccess file in drupal root?
Adding to what MPD said, I think there are other two important parts in the .htacess file provided by Drupal:
File caching Drupal says to the browser which files must be cached and how long.
# Requires mod_expires to be enabled. <IfModule mod_expires.c> # Enable expirations. ExpiresActive On # Cache all files for 2 weeks after access (A). ExpiresDefault A1209600 <FilesMatch \.php$> # Do not allow PHP scripts to be cached unless they explicitly send cache # headers themselves. Otherwise all scripts would have to overwrite the # headers set by mod_expires if they want another caching behavior. This may # fail if an error occurs early in the bootstrap process, and it may cause # problems if a non-Drupal PHP file is installed in a subdirectory. ExpiresActive Off </FilesMatch> </IfModule>
Drupal is able to return to the browser compressed files.
Those directives don't protect from security issues, but they increase the performance of the web site.
You can put those directives in a configuration file read from http.conf, if you have access to those files.
Generally speaking, removing the .htaccess file from the Drupal root directory is not a good idea, except when you can move those directive in another file.
You may have some problems, depending on how Apache is configured.
People may be able to browse directly to some hidden files. Look at lines 6 and 73 in the .htaccess to see what it restricts.
People may be able to browse directories directly. See line 10.
The site may not work right if you accidentally put a file called index.html in the root. Line 20 makes index.php the primary file.
Clean URLs won't work. I am not 100% sure if image cache will, either.
There may be some PHP security issue, but the
php_flag directives have been standard settings in php.ini for a several years now.
Are you on shared hosting? If so, the problem with the .htaccess could be the
Options lines. Some hosts restrict these. Everything else should be feature checked the the
It is possible to not have a .htaccess in the DOCROOT by placing the contents into the Apache config for the site, or in an include. On high volume sites, there are some performance gains from doing this (.htaccess is read each request, where Apache config is read once when it starts).