syntaqx · June 24, 2022 20:07
diff --git a/file_access.conf b/file_access.conf
 # ----------------------------------------------------------------------
 # | File access                                                        |
 # ----------------------------------------------------------------------

 # Block access to directories without a default document.
 #
 # You should leave the following uncommented, as you shouldn't allow anyone to
 # surf through every directory on your server (which may include rather
 # private places such as the CMS's directories).

 <IfModule mod_autoindex.c>
    Options -Indexes
 </IfModule>

 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 # Block access to all hidden files and directories except for the
 # visible content from within the `/.well-known/` hidden directory.
 #
 # These types of files usually contain user preferences or the preserved state
 # of a utility, and can include rather private places like, for example, the
 # `.git` or `.svn` directories.
 #
 # The `/.well-known/` directory represents the standard (RFC 5785) path prefix
 # for "well-known locations" (e.g.: `/.well-known/manifest.json`,
 # `/.well-known/keybase.txt`), and therefore, access to its visible content
 # should not be blocked.
 #
 # https://www.mnot.net/blog/2010/04/07/well-known
 # https://tools.ietf.org/html/rfc5785

 <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
 </IfModule>

 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 # Block access to files that can expose sensitive information.
 #
 # By default, block access to backup and source files that may be left by some
 # text editors and can pose a security risk when anyone has access to them.
 #
 # https://feross.org/cmsploit/
 #
 # (!) Update the `<FilesMatch>` regular expression from below to include any
 #     files that might end up on your production server and can expose
 #     sensitive information about your website. These files may include:
 #     configuration files, files that contain metadata about the project (e.g.:
 #     project dependencies, build scripts, etc.).

 <IfModule mod_authz_core.c>
    <FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$">
        Require all denied
    </FilesMatch>
    <FilesMatch "^(composer.json|composer.lock|installed.json|package.json|package-lock.json|README.md)">
        Require all denied
    </FilesMatch>
    <DirectoryMatch "(.github|.build)">
      Require all denied
    </DirectoryMatch>
 </IfModule>
	# ----------------------------------------------------------------------
	# \| File access \|
	# ----------------------------------------------------------------------

	# Block access to directories without a default document.
	#
	# You should leave the following uncommented, as you shouldn't allow anyone to
	# surf through every directory on your server (which may include rather
	# private places such as the CMS's directories).

	<IfModule mod_autoindex.c>
	Options -Indexes
	</IfModule>

	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	# Block access to all hidden files and directories except for the
	# visible content from within the `/.well-known/` hidden directory.
	#
	# These types of files usually contain user preferences or the preserved state
	# of a utility, and can include rather private places like, for example, the
	# `.git` or `.svn` directories.
	#
	# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
	# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
	# `/.well-known/keybase.txt`), and therefore, access to its visible content
	# should not be blocked.
	#
	# https://www.mnot.net/blog/2010/04/07/well-known
	# https://tools.ietf.org/html/rfc5785

	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{REQUEST_URI} "!(^\|/)\.well-known/([^./]+./?)+$" [NC]
	RewriteCond %{SCRIPT_FILENAME} -d [OR]
	RewriteCond %{SCRIPT_FILENAME} -f
	RewriteRule "(^\|/)\." - [F]
	</IfModule>

	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	# Block access to files that can expose sensitive information.
	#
	# By default, block access to backup and source files that may be left by some
	# text editors and can pose a security risk when anyone has access to them.
	#
	# https://feross.org/cmsploit/
	#
	# (!) Update the `<FilesMatch>` regular expression from below to include any
	# files that might end up on your production server and can expose
	# sensitive information about your website. These files may include:
	# configuration files, files that contain metadata about the project (e.g.:
	# project dependencies, build scripts, etc.).

	<IfModule mod_authz_core.c>
	<FilesMatch "(^#.*#\|\.(bak\|conf\|dist\|fla\|in[ci]\|log\|orig\|psd\|sh\|sql\|sw[op])\|~)$">
	Require all denied
	</FilesMatch>
	<FilesMatch "^(composer.json\|composer.lock\|installed.json\|package.json\|package-lock.json\|README.md)">
	Require all denied
	</FilesMatch>
	<DirectoryMatch "(.github\|.build)">
	Require all denied
	</DirectoryMatch>
	</IfModule>