-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy path.htaccess
125 lines (99 loc) · 4.04 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Disable directory browsing
Options FollowSymLinks
# Prevent directory listing
IndexIgnore *
# ----------------------------------------------------------------------
# Protecting files that give away sensitive information
# ----------------------------------------------------------------------
# Deny access to filenames starting with dot(.)
<FilesMatch "^\.">
Require all denied
</FilesMatch>
# Deny access to sensitive files
<FilesMatch "^composer*|^build*|^README.md|^php*">
Require all denied
</FilesMatch>
# ----------------------------------------------------------------------
# Rewrite engine
# ----------------------------------------------------------------------
# Turning on the rewrite engine is necessary for the following rules and features.
# FollowSymLinks must be enabled for this to work.
<IfModule mod_rewrite.c>
RewriteEngine On
Options All -Indexes
Options +FollowSymlinks
# If you installed CodeIgniter in a subfolder, you will need to
# change the following line to match the subfolder you need.
# http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
RewriteBase /
RewriteRule ^index/(.+?)/$ index.php?page=$1 [L,QSA]
# skip all files and directories from rules below
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -l
RewriteRule ^ - [L]
# Prevent loops
RewriteCond %{REQUEST_URI} !index\.php [NC]
RewriteCond %{REQUEST_URI} ^/([^/]+)/([^/]+)/? [NC]
RewriteRule .* %1/index.php?page=%2 [L]
# Checks to see if the user is attempting to access a valid file,
# such as an image or css document, if this isn't true it sends the
# request to the front controller, index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [L]
# Ensure Authorization header is passed along
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Deny Access to Hidden Files and Directories
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
# Deny access to sensitive directories
RewriteRule (^|/)Install(/|$) - [F]
RewriteRule (^|/).git(/|$) - [F]
RewriteRule (^|/)tests(/|$) - [F]
RewriteRule (^|/)vendor(/|$) - [F]
# Deny access to sensitive URL paths
RewriteRule ^.git$ - [F]
RewriteRule ^tests$ - [F]
RewriteRule ^Install$ - [F]
RewriteRule ^vendor$ - [F]
# Disallow access to vendor directory
RewriteRule ^vendor/(.*)?$ / [F,L]
RewriteRule ^composer\.(lock|json)$ / [F,L]
# Disabling TRACE Method to prevent access to sensitive header information
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
</IfModule>
# Extra Security Headers
<IfModule mod_headers.c>
# Protect against page-framing and click-jacking
Header always set X-Frame-Options "SAMEORIGIN"
# Protect against XSS attacks
Header set X-XSS-Protection "1; mode=block"
# Protect against content-sniffing
Header set X-Content-Type-Options "nosniff"
# Session Hijacking Prevention
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Strict-Transport-Security for MITM prevention
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Referrer Policy
Header set Referrer-Policy "same-origin"
# Preventing Mixed content from loading insecure stylesheet over HTTPS and Implementing other Content Security Policy features
#Header add Content-Security-Policy "script-src 'self' https://googleapis.com/; frame-ancestors 'self'; upgrade-insecure-requests;"
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [NC,R,L]
</IfModule>
<IfModule !mod_rewrite.c>
# If we don't have mod_rewrite installed, all 404's
# can be sent to index.php, and everything works as normal.
ErrorDocument 404 index.php
</IfModule>
# Disable server signature start
ServerSignature Off
# Disable server signature end
#Setting Max Upload File start
php_value upload_max_filesize 16M
php_value post_max_size 16M
#Setting Max Upload File end