What Does Require All Granted Do in Apache?

The Require all granted directive in the Apache HTTP Server is a core access control configuration used to unconditionally allow all incoming traffic to access a specific directory, file, or location on a server. It forms the backbone of modern Apache security configurations, typically used to open up public-facing web directories after stricter global restrictions have been applied. Understanding how and when to implement this directive is essential for configuring a functional and secure web server.

The Role of Require All Granted in Apache 2.4

In Apache 2.4, authorization configuration underwent a significant overhaul. The older Order, Allow, and Deny directives from Apache 2.2 were deprecated and replaced by the mod_authz_core module, which introduces the Require syntax.

The Require all granted directive explicitly tells the server that no authorization restrictions should be enforced for the specified block. If a client requests a resource protected by this directive, Apache will permit access without checking for user credentials, IP whitelists, or hostnames.

Syntax and Implementation

This directive is placed inside configuration containers such as <Directory>, <Location>, or <Files>. A typical implementation looks like this:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

In this example, any visitor navigating to the main web root directory (/var/www/html) will be permitted to view the hosted web pages.

Why It Matters: Security by Default

Modern Apache configurations often employ a “secure by default” strategy. In the main httpd.conf or apache2.conf file, developers usually block access to the entire filesystem to prevent malicious actors from browsing sensitive server files:

<Directory "/">
    AllowOverride None
    Require all denied
</Directory>

Because Require all denied locks down the server completely, you must use Require all granted further down the configuration file to selectively open up the specific folders where your public website files actually live.

Common Use Cases

• Public Web Roots: Enabling access to standard document roots like /var/www/html or /usr/share/nginx/html.
• Virtual Hosts: Configuring specific domains or subdomains within a <VirtualHost> block to ensure their public assets are accessible to the internet.
• Asset Directories: Allowing access to public images, CSS, and JavaScript folders while keeping backend scripts restricted.