Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Restricting Access to Web Pages

Note: As of April 1st, 2008 personal homepages are no longer supported

Web security starts at the directory level. To secure any page, you must first put it into a discrete subdirectory. Once you've created your subdirectory, you can secure that subdirectory and any pages that reside in that subdirectory by one of three means:

You may want some of your pages to only be accessible by a few people. You will need to password protect those pages and set up as many usernames/passwords as necessary. It is important that you exchange passwords in person and follow the normal rules regarding password maintenance. Do not use a password that you are already using for an email account or any other University account to password protect your web pages.

For users on Pobox and Dolphin, we have made available a wrapper script that will help you to password protect your pages for web users. This script will set the password for the username that you choose and create the .htpasswd and .htaccess files in the directory that you specify.

WARNING: This method will only secure your pages from web users. Any user who has a login account on your same server will be able to see the contents of your pages if they know of their existence. If you prefer to make your pages completely secure from all users, you must contact the server administrator by sending mail to

After creating the subdirectory you wish to secure in your html directory, type

from your UNIX prompt.

A sample .htaccess file that will be created would be

      AuthUserFile /usr/users/testuser/html/secure/.htpasswd
      AuthGroupFile /dev/null                    
      AuthName Passworded                        
      AuthType Basic                             
      require user secure1 secure2

If you have pages that are only meant to be accessed by people from the University you can restrict access to a domain.

You will need to create a .htaccess in your restricted sub-directory. A sample .htaccess file would be:

    AuthUserFile /dev/null    
    AuthGroupFile /dev/null   
    AuthName Domain-restricted
    AuthType Basic            
    order deny,allow          
    deny from all             
    allow from   
This will allow any host in the domain to view your pages but anyone else will get a 403 Forbidden error message.

Combination of Domain-restriction/Password-protection
You could opt to restrict your subdirectory to users in a specified domain and require a password if the user is not in that domain. This is useful if you have internal documents that need to be reviewed by some users outside of the University.

Your will need to create a .htaccess like

    deny from all
    allow from
    AuthType Basic
    AuthUserFile /usr/users/testuser/html/secure/.htpasswd
    AuthName Special_restriction

    require user brak moltar
    satisfy any
    dolphin services


Information Systems and Computing
University of Pennsylvania
Comments & Questions

University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania