GitLab

Currently a .htaccess file is used to realize folder protection which is not recommended (https://httpd.apache.org/docs/2.4/howto/htaccess.html#when). This should be done directly in the vhost file with an additional <directory> directive. The .htpasswd file could go for example to /var/www/.../private and not be accessible via web even if the user makes a strange config (or stay where it is).

(Background is that I had a user who set the option "Apache AllowOverride=none" for performance reasons without realizing that this disables the password protection)