-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.htaccess
185 lines (167 loc) · 5.63 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
## App rewrite
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
## Hotlinking protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?gen.com/ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F,NC,L]
</IfModule>
## URL protection
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>
## WebP image
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_ACCEPT} image/webp
RewriteCond %{DOCUMENT_ROOT}/$1.webp -f
RewriteRule (.+)\.(jpe?g|png)$ $1.webp [T=image/webp,E=accept:1]
</IfModule>
<IfModule mod_headers.c>
Header append Vary Accept env=REQUEST_image
</IfModule>
<IfModule mod_mime.c>
AddType image/webp .webp
</IfModule>
## Redirection limit
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{ENV:REDIRECT_COUNT} <2
RewriteRule ^ - [E=REDIRECT_COUNT:%{ENV:REDIRECT_COUNT}1]
RewriteCond %{ENV:REDIRECT_COUNT} >=2
RewriteRule ^ public/page/error.html [L]
</IfModule>
## UTF-8 encoding
AddDefaultCharset utf-8
AddCharset utf-8 .atom .css .js .json .rss .xml
## Index protection
Options All -Indexes
## Script protection
AddHandler cgi-script .php3 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
## Folder protection
<IfModule mod_headers.c>
<FilesMatch "^\.git|\.svn|\.cvs|\.vscode|\.idea|node_modules|vendor|logs|backups">
Order deny,allow
Deny from all
</FilesMatch>
</IfModule>
## File protection
<IfModule mod_headers.c>
<FilesMatch "\.(sh|pl|py|rb|cgi|dat|exe|conf|ini|sql)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "\.(zip|tar|tar\.gz|rar|7z)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(global|config)\.json$">
Order allow,deny
Deny from all
</FilesMatch>
</IfModule>
## CORS protection
<IfModule mod_headers.c>
Header always set Access-Control-allow-Origin "*"
Header always set Access-Control-allow-Methods "POST, GET"
Header always set Access-Control-allow-Headers: Authorization
</IfModule>
## Content-sniffing protection
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
</IfModule>
## XSS protection
<IfModule mod_headers.c>
Header set X-XSS-Protection: "1; mode=block"
</IfModule>
## Cookie protection
# <ifmodule mod_headers.c>
# Header edit Set-Cookie ^(.*)$ "$1;{HttpOnly};{Secure};{SameSite=Strict}"
# </ifmodule>
# <IfModule mod_php.c>
# php_flag session.cookie_httponly on
# php_flag session.cookie_secure on
# </IfModule>
## Methods limit
<Limit GET POST HEAD>
Order allow,deny
Allow from all
</Limit>
## PATCH PUT DELETE COPY CONNECT TRACE OPTIONS
<LimitExcept PATCH PUT DELETE>
Order deny,allow
Deny from all
</LimitExcept>
## Bot protection
SetEnvIfNoCase ^User-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures) HTTP_SAFE_BADBOT
SetEnvIfNoCase ^User-Agent$ .*(libwww-perl|aesop_com_spiderman) HTTP_SAFE_BADBOT
Deny from env=HTTP_SAFE_BADBOT
## Compression
# <IfModule mod_deflate.c>
# <FilesMatch "\.(html|php|txt|xml|js|css)$">
# SetOutputFilter DEFLATE
# </FilesMatch>
# SetOutputFilter DEFLATE
# ## Exclude images
# SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
# AddOutputFilterByType DEFLATE application/javascript
# AddOutputFilterByType DEFLATE application/rss+xml
# AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
# AddOutputFilterByType DEFLATE application/x-font
# AddOutputFilterByType DEFLATE application/x-font-opentype
# AddOutputFilterByType DEFLATE application/x-font-otf
# AddOutputFilterByType DEFLATE application/x-font-truetype
# AddOutputFilterByType DEFLATE application/x-font-ttf
# AddOutputFilterByType DEFLATE application/x-javascript
# AddOutputFilterByType DEFLATE application/xhtml+xml
# AddOutputFilterByType DEFLATE application/xml
# AddOutputFilterByType DEFLATE font/opentype
# AddOutputFilterByType DEFLATE font/otf
# AddOutputFilterByType DEFLATE font/ttf
# AddOutputFilterByType DEFLATE image/svg+xml
# AddOutputFilterByType DEFLATE image/x-icon
# AddOutputFilterByType DEFLATE text/css
# AddOutputFilterByType DEFLATE text/html
# AddOutputFilterByType DEFLATE text/javascript
# AddOutputFilterByType DEFLATE text/plain
# AddOutputFilterByType DEFLATE text/xml
# </IfModule>
## Caching
# <IfModule mod_expires.c>
# ExpiresActive On
# ExpiresByType image/jpg "access 1 year"
# ExpiresByType image/jpeg "access 1 year"
# ExpiresByType image/gif "access 1 year"
# ExpiresByType image/png "access 1 year"
# ExpiresByType text/css "access 1 month"
# ExpiresByType text/html "access 1 month"
# ExpiresByType application/javascript "access plus 1 year"
# ExpiresByType application/pdf "access 1 month"
# ExpiresByType text/x-javascript "access 1 month"
# ExpiresByType image/x-icon "access plus 1 year"
# ExpiresDefault "access 1 month"
# </IfModule>
## PHP
# <FilesMatch \.php$>
# SetHandler application/x-httpd-php82
# </FilesMatch>
# AddHandler application/x-httpd-php82 .php
# suPHP_ConfigPath /gen.com/php.ini