PHP Classes
elePHPant
Icontem

File: .htaccess

Recommend this page to a friend!
  Classes of Marco Cesarato  >  PHP AIO Security Class  >  .htaccess  >  Download  
File: .htaccess
Role: Auxiliary data
Content type: text/plain
Description: Auxiliary data
Class: PHP AIO Security Class
Filter untrusted data to prevent security issues
Author: By
Last change: Disabled on htacess OPTIONS and TRACE Methods
Date: 1 month ago
Size: 2,522 bytes
 

Contents

Class file image Download
# htaccess
# @author: Marco Cesarato <cesarato.developer@gmail.com>

IndexIgnore *
Options All -Indexes

# Hide server informations
ServerSignature Off

#LimitRequestBody 10240000

# Security php settings
#php_flag expose_php off
#php_flag allow_url_fopen off
#php_flag magic_quotes_gpc  off
#php_flag register_globals off
#php_flag session.cookie_httponly on
#php_flag session.use_only_cookies on

# Headers protection/improvements
<IfModule mod_headers.c>

    # Hide server informations
    Header always unset X-Powered-By
    Header unset X-Powered-By

    # XSS Protection
    Header set X-XSS-Protection "1; mode=block"
    # Clickjacking
    Header set X-Frame-Options "sameorigin"

    Header set Accept-Encoding "gzip, deflate"
    Header set Cache-Control "max-age=15552000, must-revalidate"

    Header set Referer-Policy "origin"
    Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
    Header set X-UA-Compatible "IE=edge,chrome=1"
    Header set X-Permitted-Cross-Domain-Policies "master-only"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Download-Options "noopen"
    Header set Access-Control-Allow-Methods "GET, POST"
    # Content policy
    #Header set Content-Security-Policy "default-src 'self'"
    Header set Content-Security-Policy "default-src 'self'; script-src * 'unsafe-inline' 'unsafe-eval'; style-src * 'unsafe-inline'; img-src * data:; font-src * data:; object-src 'self'"

</IfModule>

<IfModule mod_rewrite.c>

    # Enable URL Rewriter
    RewriteEngine On
    Options +FollowSymlinks
    Options +SymLinksIfOwnerMatch

    RewriteCond %{REQUEST_METHOD} ^(TRACE|OPTIONS)
    RewriteRule .* ? [F]

    # HTTPS
    #RewriteCond %{HTTPS} !on
    #RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    # URL Rewrite
    # Remove comment from here if you use a url rewriter
    #RewriteBase /
    #RewriteRule ^index\.php$ - [L]
    #RewriteCond %{REQUEST_FILENAME} !-f
    #RewriteCond %{REQUEST_FILENAME} !-d
    #RewriteRule . index.php [L]

    RewriteRule .*\.git.* index.php [L]
    RewriteRule .*\.svn.* index.php [L]
    RewriteRule .*\.hg.* index.php [L]

</IfModule>

# File protection
<Files ~ "^(config)\.php">
  Order Allow,Deny
  Deny from all
</Files>
<Files ~ "^.*\.([Hh][Tt][Aa])">
  Order Allow,Deny
  Deny from all
  Satisfy all
</Files>

# Robots file protection
<Files ~ "\.pdf$">
  Header set X-Robots-Tag "noindex, nofollow"
</Files>
<Files ~ "\.(png|jpe?g|gif|bmp|psd)$">
  Header set X-Robots-Tag "noindex"
</Files>