-
Notifications
You must be signed in to change notification settings - Fork 16
/
.htaccess
94 lines (83 loc) · 4.46 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# .htaccess
# Main Web MVC Framework Rewrite Rules for routing request to index.php and securing website
#
# copyright (c) 2016 Rosario Carvello <[email protected]> - All rights reserved.
# see License.txt file
# license BSD Clause 3 License
# license https://opensource.org/licenses/BSD-3-Clause This software is distributed under BSD-3-Clause Public License
# Disables directory listing
# Disabilita il listing delle directory
Options -Indexes
# Set Apache Rewrite Engine to On
# Attiva il Rewrite Engine di Apache
RewriteEngine On
# Ignores errors for not founded directories and apply the RewriteRule
# Ignora l'errore sul posizionamento nell directory che non esistono e applica il RewriteRule
RewriteCond %{REQUEST_FILENAME} !-d
# Ignores errors for not founded files and apply the RewriteRule
# Ignora l'errore del caricamento dei file che non esistono e procedi con il RewriteRule
RewriteCond %{REQUEST_FILENAME} !-f
# Ignores errors for not founded links and apply the RewriteRule
# Ignora l'errore dei link che non esistono e procedi con il RewriteRule
RewriteCond %{REQUEST_FILENAME} !-l
# A simple rule to routes the URL request to index.php with a parameter named url and containing the requested url value.
# Routing di tutte le richieste che non possono essere eseguite a index.php con parametro url contenente l'URL sottomessa.
RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
# File Protection
# Protezione del file .htacess
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
# Secure website using
# Sicurezza del sito
Options +FollowSymlinks
ServerSignature Off
# Rule #4a - Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Rule #4b - Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Rule #4c - Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Rule #4d - Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
# Rule #4e - Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
# Prevent XSS attacks
# Prevenzione attacchi XSS
RewriteCond %{QUERY_STRING} http://([a-zA-Z0-9_\-]*) [NC,OR]
RewriteCond %{QUERY_STRING} http:/([a-zA-Z0-9_\-]*) [NC,OR]
RewriteCond %{QUERY_STRING} cmd= [NC,OR]
RewriteCond %{QUERY_STRING} &cmd [NC,OR]
RewriteCond %{QUERY_STRING} exec [NC,OR]
RewriteCond %{QUERY_STRING} execu [NC,OR]
RewriteCond %{QUERY_STRING} concat [NC]
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\|\|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT}^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark|print|printf|system|exec|scanf).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|).* [NC]
RewriteRule ^.* - [F]
# Prevent SQL injections
# Prevenzione SQL injections
RewriteCond %{QUERY_STRING} UNION([%20\ /\*+]*)ALL([%20\ /\*+]*)SELECT [NC,OR]
RewriteCond %{QUERY_STRING} UNION([%20\ /\*+]*)SELECT [NC,OR]
RewriteCond %{QUERY_STRING} /\* [NC,OR]
RewriteCond %{QUERY_STRING} \*/ [NC]
RewriteRule ^.* - [F]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} http:.*\/.*\/ [OR]
RewriteCond %{QUERY_STRING} ..*\/ [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} [^az](declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update)[^a-z] [NC]
RewriteRule (.*) - [F]