In addition to serving any file it can access by default, Apache also by default allows parts of configuration data to be placed under the web server tree, in files normally named .htaccess. Configuration information in such files can override the information in the httpd.conf configuration file. Though this can be useful, it slows down the server (because Apache is forced to check whether the file exists in any of the sub-folders it serves) and allows anyone who controls the web server tree to have limited control of the web server. This feature is controlled with the AllowOverride directive, which, like Options, appears within the <Directory> directive specifying the directory to which the options apply. The AllowOverride directive supports the following options:

AuthConfig
   Allows use (in .htaccess files) of the authorization
      directives (explained in Chapter 7)

FileInfo
   Allows use of the directives controlling document
      types

Indexes
   Allows use of the directives controlling directory
      indexing

Limit
   Allows use of the directives controlling host access

Options
   Allows use of the directives controlling specific
      directory functions (the Options and XbitHack
   directives )

All
   Allows all options listed

None
   Ignores .htaccess configuration files

For our default configuration, we choose the None option. So, our <Directory> directives are now:

  <Directory / >
      Order Deny,Allow
      Deny from all
      Options None
      AllowOverride None
  </Directory>

  <Directory /var/www/htdocs>
      Order Allow,Deny
      Allow from all
  </Directory>

Modules sometimes use AllowOverride settings to make other deci sions as to whether something should be allowed. Therefore, a change to a setting can have unexpected consequences. As an example, including Options as one of the AllowOverride options will allow PHP configuration directives to be used in .htaccess files. In theory, every directive of every module should fit into one of the AllowOverride settings, but in practice it depends on whether their respective developers have considered it.