Last active
December 13, 2015 22:49
-
-
Save meghuizen/4987074 to your computer and use it in GitHub Desktop.
Secure .htaccess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Secure htaccess | |
| ### If you run a webserver other than Apache, consider: | |
| ### github.com/h5bp/server-configs | |
| # Install APC for caching | |
| # command line: pecl install apc | |
| # For installing a debugger/profiler: | |
| # command line: pecl install xdebug-beta | |
| # PHP flags | |
| <IfModule mod_php5.c> | |
| # Set your session save path (not /tmp, but in your webroot) | |
| # It is a good idea to change the | |
| # value below to a private directory, just as | |
| # an additional measure against race conditions | |
| #php_value session.save_path "/tmp" | |
| # Set your upload path (not /tmp, but in your webroot) | |
| # Can only be changed in php.ini!!!! | |
| #php_value upload_tmp_dir = "/tmp" | |
| php_flag magic_quotes_gpc off | |
| php_flag magic_quotes_runtime off | |
| php_flag allow_url_fopen off | |
| php_flag register_globals off | |
| php_flag always_populate_raw_post_data on | |
| php_flag enable_dl off | |
| #php_flag safe_mode on | |
| php_flag log_errors on | |
| php_flag expose_php off | |
| php_flag display_errors off | |
| php_flag display_startup_errors off | |
| # OWAP session security | |
| php_value session.gc_maxlifetime 32400 | |
| php_value session.entropy_length 32 | |
| php_value session.use_only_cookies 1 | |
| php_value session.hash_function 1 | |
| php_value session.cookie_httponly 1 | |
| # could speedup PHP a lot, but will not recognize file changes. ONLY IN PRODUCTION! | |
| # See: http://www.php.net/manual/en/apc.configuration.php#ini.apc.stat | |
| #php_flag apc.stat off | |
| </IfModule> | |
| Options All -ExecCGI -Includes -Indexes +MultiViews +FollowSymlinks | |
| # Don't Expose your Apache server version | |
| ServerSignature Off | |
| #Use UTF-8 encoding for anything served text/plain or text/html | |
| AddDefaultCharset utf-8 | |
| AddCharset utf-8 .css .js .xml .json .rss .atom | |
| <IfModule mod_headers.c> | |
| # Doesn't work for Apache though, but we leave it here for maybe the future | |
| Header unset Server | |
| Header unset X-Powered-By | |
| </IfModule> | |
| # Protect hidden files from being viewed | |
| <Files .*> | |
| Order Deny,Allow | |
| Deny From All | |
| </Files> | |
| # Protect include files and other sensitive files | |
| #<FilesMatch "\.(?i:inc|inc\.php|log|phps|sql|ini|cfg|fla|log|sh|tmp|bak|swp|dist|svn-base|~)$"> | |
| <Files ~ "\.(?i:inc|inc\.php|log|phps|sql|ini|cfg|fla|log|sh|tmp|bak|swp|dist|svn-base|~)$"> | |
| Order allow,deny | |
| Deny from all | |
| Satisfy All | |
| </Files> | |
| #</FilesMatch> | |
| # Cache static files | |
| # For Caching info see: http://www.mnot.net/cache_docs/ | |
| #<FilesMatch "\.(?i:ico|jpg|jpeg|png|gif|js|css|swf|webp|bmp$"> | |
| <Files ~ "\.(?i:ico|jpg|jpeg|png|gif|js|css|swf|webp|bmp)$"> | |
| <IfModule mod_expires.c> | |
| ExpiresActive on | |
| ExpiresDefault "access plus 30 days" | |
| </IfModule> | |
| <IfModule mod_headers.c> | |
| Header unset ETag | |
| Header append Cache-Control "public" | |
| </IfModule> | |
| FileETag None | |
| </Files> | |
| #</FilesMatch> | |
| # Vary Important - http://stackoverflow.com/a/14541454/1258484 | |
| <IfModule mod_headers.c> | |
| #<FilesMatch "\.(?i:js|css|xml|gz|ttf|eot|woff|json|html)$"> | |
| <Files ~ "\.(?i:js|css|xml|gz|ttf|eot|woff|json|html)$"> | |
| Header append Vary: Accept-Encoding | |
| </Files> | |
| #</FilesMatch> | |
| </IfModule> | |
| <IfModule mod_deflate.c> | |
| #Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/ | |
| <IfModule mod_headers.c> | |
| <IfModule mod_setenvif.c> | |
| SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
| RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
| </IfModule> | |
| </IfModule> | |
| AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/x-javascript application/rss+xml application/atom_xml text/javascript application/json | |
| AddOutputFilterByType DEFLATE image/x-icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype | |
| </IfModule> | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine on | |
| # Installation directory | |
| RewriteBase / | |
| RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC,OR] | |
| # If using WebDAV or REST comment the following line | |
| RewriteCond %{REQUEST_METHOD} ^(HEAD|OPTIONS|PUT|DELETE) [NC,OR] | |
| RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR] | |
| RewriteCond %{HTTP_REFERER} ^(.*)(%0A|%0D|%00|%01|%08|%7F).* [NC,OR] | |
| RewriteCond %{HTTP_COOKIE} ^.*(%0A|%0D|%00|%01|%08|%7F).* [NC,OR] | |
| RewriteCond %{REQUEST_URI} ^/(<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR] | |
| RewriteCond %{REQUEST_URI} (information_schema|mysql|performance_schema) [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] | |
| RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00|%01|%08|%7F).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^.*(%0A|%0D|%00|%01|%08|%7F).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\;|\'|\"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark|or|and|if).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} (information_schema|mysql|performance_schema) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig|eval) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC] | |
| RewriteRule .* - [F] | |
| #RewriteCond %{REQUEST_URI} !error\.php | |
| #RewriteRule .* error.php/$0 [PT] | |
| RewriteRule .* - [E=HTTP_IF_MODIFIED_SINCE:%{HTTP:If-Modified-Since}] | |
| RewriteRule .* - [E=HTTP_IF_NONE_MATCH:%{HTTP:If-None-Match}] | |
| # SSL force | |
| #RewriteCond %{HTTPS} off | |
| #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} | |
| # Protect application and system files from being viewed | |
| RewriteRule ^(?:application|database|modules|system)\b.* index.php/$0 [L] | |
| RewriteRule ^build.*? - [F,L] | |
| # Allow any files or directories that exist to be displayed directly | |
| RewriteCond %{REQUEST_FILENAME} !-f | |
| RewriteCond %{REQUEST_FILENAME} !-d | |
| RewriteCond %{REQUEST_URI} !index\.php | |
| # Rewrite all other URLs to index.php/URL | |
| RewriteRule .* index.php/$0 [PT,L] | |
| </IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment