Use case-sensitive disk volume formats such as Mac OS Extended (Case-sensitive) or Mac OS Extended (Case-sensitive, Journaled) to serve access-controlled web content. In these volume formats, folders named “Protected” and “PrOtECted” are two different folders.
The Mac OS Extended volume format preserves the case of filenames but doesn’t distinguish between a file or folder named “Protected” and one named “PrOtECted.” The mod_hfs_apple module, which is enabled by default, prevents using case insensitivity to bypass security. Without mod_hfs_apple, this insensitivity could be an issue when your web content resides on this type of volume and you’re attempting to restrict access to all or part of your web content.
If you require browsers to use a name and a password for Read-Only access to content in a folder named “Protected,” browsers must authenticate to access the following URLs:
http://example.com/Protected
http://example.com/Protected/secret
http://example.com/Protected/sECreT
Without the mod_hfs_apple module enabled, browsers could bypass it by using something like the following:
http://example.com/PrOtECted
http://example.com/PrOtECted/secret
http://example.com/PrOtECted/sECreT
The mod_hfs_apple module operates on folders. It isn’t intended to prevent access to individual files. A file named “secret” can be accessed as “seCREt”. This is correct behavior, and doesn’t enable bypassing security.
For information about choosing who can access secure web content, see Publish a website.