-
Notifications
You must be signed in to change notification settings - Fork 14
/
.htaccess
93 lines (74 loc) · 2.46 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# htaccess
# @author: Marco Cesarato <[email protected]>
IndexIgnore *
Options All -Indexes
# Hide server informations
ServerSignature Off
#LimitRequestBody 10240000
# Security php settings
#php_flag expose_php off
#php_flag allow_url_fopen off
#php_flag magic_quotes_gpc off
#php_flag register_globals off
#php_flag session.cookie_httponly on
#php_flag session.use_only_cookies on
# Headers protection/improvements
<IfModule mod_headers.c>
# Hide server informations
Header always unset X-Powered-By
Header unset X-Powered-By
# XSS Protection
Header set X-XSS-Protection "1; mode=block"
# Clickjacking
Header set X-Frame-Options "sameorigin"
Header set Accept-Encoding "gzip, deflate"
Header set Cache-Control "max-age=15552000, must-revalidate"
Header set Referer-Policy "origin"
Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
Header set X-UA-Compatible "IE=edge,chrome=1"
Header set X-Permitted-Cross-Domain-Policies "master-only"
Header set X-Content-Type-Options "nosniff"
Header set X-Download-Options "noopen"
Header set Access-Control-Allow-Methods "GET, POST"
# Content policy
#Header set Content-Security-Policy "default-src 'self'"
Header set Content-Security-Policy "default-src 'self'; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; img-src * data:; font-src * data:; object-src 'self'"
</IfModule>
<IfModule mod_rewrite.c>
# Enable URL Rewriter
RewriteEngine On
Options +FollowSymlinks
Options +SymLinksIfOwnerMatch
RewriteCond %{REQUEST_METHOD} ^(TRACE|OPTIONS)
RewriteRule .* – [F]
# HTTPS
#RewriteCond %{HTTPS} !on
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
# URL Rewrite
# Remove comment from here if you use a url rewriter
#RewriteBase /
#RewriteRule ^index\.php$ - [L]
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule . index.php [L]
RewriteRule .*\.git.* index.php [L]
RewriteRule .*\.svn.* index.php [L]
RewriteRule .*\.hg.* index.php [L]
</IfModule>
# File protection
<Files ~ "^(config)\.php">
Order Allow,Deny
Deny from all
</Files>
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order Allow,Deny
Deny from all
Satisfy all
</Files>
# Robots file protection
<Files ~ "\.pdf$">
Header set X-Robots-Tag "noindex, nofollow"
</Files>
<Files ~ "\.(png|jpe?g|gif|bmp|psd)$">
Header set X-Robots-Tag "noindex"
</Files>