-
Notifications
You must be signed in to change notification settings - Fork 30
/
.htaccess
83 lines (81 loc) · 3.91 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Monstra
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F,L]
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# RewriteRule ^([^\.]+)$ $1.php [NC,L]
# RewriteRule ^(.+)\.php$ /$1 [R,L]
# RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
#
# RewriteRule (.*?)index\.php/*(.*) /$1$2 [R=301,NE,L]
RewriteRule ^ index.php [QSA,L]
# RewriteRule . index.php [L]
Redirect 301 "/home" "/"
Redirect 301 "/inicio" "/"
Redirect 301 "/system" "/admin"
Redirect 301 "/login" "/signin"
</IfModule>
<IfModule mod_headers.c>
# Make sure proxies don't deliver the wrong content
# Header always set Content-Security-Policy: upgrade-insecure-requests
# This one can be a pain in the A** to set up, which is why I commented it out.
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header append Vary User-Agent env=!dont-vary
Header always append X-Frame-Options SAMEORIGIN
Header always set Content-Security-Policy "upgrade-insecure-requests;"
# // This is the Xss header you are looking for
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
Header set Access-Control-Allow-Origin "*"
IndexIgnore *.zip *.css *.js *.pyt
Options -MultiViews -Indexes
</IfModule>
<IfModule mod_security.c>
SecFilterEngine On
# ^Turn the filtering engine On or Off
SecFilterScanPOST On
# ^Should mod_security inspect POST payloads
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# ^Require HTTP_USER_AGENT and HTTP_HOST in all requests
SecFilter "../"
# ^Prevent path traversal (..) attacks
SecFilter "<[[:space:]]*script"
# ^Weaker XSS protection but allows common HTML tags
SecFilter "<(.|n)+>"
# ^Prevent XSS atacks (HTML/Javascript injection)
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilter "drop[[:space:]]table"
# ^Very crude filters to prevent SQL injection attacks
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
# ^Protecting from XSS attacks through the PHP session cookie
SecFilterDefaultAction "deny,log,status:500"
# ^Action to take by default
</IfModule>
# Block access to backup and source files.
# These files may be left by some text editors and can pose a great security
# danger when anyone has access to them.
<FilesMatch "(^#.*#|.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>