I have this, and only this, in a .htaccess file inside my downloads folder: <FilesMatch "\.(exe)$"> AuthType Basic AuthName "Downloads" AuthUserFile path/to/.htpasswd Require valid-user </FilesMatch> Once I click the link to download a href="fileName.exe">FileName</a>, I'm getting a 500 server error. If I leave out the <FilesMatch>-part; The protection part is working, I guess, since I get the login box. But once I get into the protected area, the 500 server error occurs. What am I doing wrong here? My intention was to protect only a single .exe file to prevent downloaded by anyone. Is there any easier or more correct way of doing this?