JohannesDeml/.htaccess

## .htaccess
# Secure HTACCESS wordpress config - https://gist.github.com/JohannesDeml/f714e47d6c6ea885f45f70bd34d927f8

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# BEGIN HTTP security settings
Header set Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Header set Content-Security-Policy "default-src 'none'; img-src https://* data:; font-src https://* data:; connect-src 'self'; frame-src https://* 'unsafe-inline'; manifest-src 'self'; object-src 'self'; script-src  https://* 'unsafe-inline' 'unsafe-eval'; style-src https://* 'unsafe-inline'; worker-src 'self'; block-all-mixed-content; upgrade-insecure-requests; base-uri 'self'; form-action https://* 'unsafe-inline';"
Feature-Policy: autoplay 'none'; camera 'none'; document-domain 'self'; encrypted-media 'self'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none';
Header set Referrer-Policy: same-origin
Header set X-XSS-Protection: "1; mode=block"
# END HTTP security settings

# BEGIN Caching - Source: https://gist.github.com/solancer/a51cf728a119a16f4c6ce494864a2d47
<IfModule mod_expires.c>

    ExpiresActive on
    ExpiresDefault                                      "access plus 1 month"

  # CSS
    ExpiresByType text/css                              "access plus 1 year"

  # Data interchange
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rdf+xml                   "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"

    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/ld+json                   "access plus 0 seconds"
    ExpiresByType application/schema+json               "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"

  # Favicon (cannot be renamed!) and cursor images
    ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
    ExpiresByType image/x-icon                          "access plus 1 week"

  # HTML
    ExpiresByType text/html                             "access plus 0 seconds"

  # JavaScript
    ExpiresByType application/javascript                "access plus 1 year"
    ExpiresByType application/x-javascript              "access plus 1 year"
    ExpiresByType text/javascript                       "access plus 1 year"

  # Manifest files
    ExpiresByType application/manifest+json             "access plus 1 year"

    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"

  # Media files
    ExpiresByType audio/ogg                             "access plus 1 month"
    ExpiresByType image/bmp                             "access plus 1 month"
    ExpiresByType image/gif                             "access plus 1 month"
    ExpiresByType image/jpeg                            "access plus 1 month"
    ExpiresByType image/png                             "access plus 1 month"
    ExpiresByType image/svg+xml                         "access plus 1 month"
    ExpiresByType image/webp                            "access plus 1 month"
    ExpiresByType video/mp4                             "access plus 1 month"
    ExpiresByType video/ogg                             "access plus 1 month"
    ExpiresByType video/webm                            "access plus 1 month"

  # Web fonts

    # Embedded OpenType (EOT)
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
    ExpiresByType font/eot                              "access plus 1 month"

    # OpenType
    ExpiresByType font/opentype                         "access plus 1 month"

    # TrueType
    ExpiresByType application/x-font-ttf                "access plus 1 month"

    # Web Open Font Format (WOFF) 1.0
    ExpiresByType application/font-woff                 "access plus 1 month"
    ExpiresByType application/x-font-woff               "access plus 1 month"
    ExpiresByType font/woff                             "access plus 1 month"

    # Web Open Font Format (WOFF) 2.0
    ExpiresByType application/font-woff2                "access plus 1 month"

  # Other
    ExpiresByType text/x-cross-domain-policy            "access plus 1 week"

</IfModule>
# END Caching

## README.md

      
    Raw
  

              README.md
            
          
    Htacces for wordpress


Supports caching through mod_expires (See https://gist.github.com/solancer/a51cf728a119a16f4c6ce494864a2d47)
Working Content Security Policy that does not break wordpress functionality and supports embedding of external iframes (e.g. Youtube)

Installation


Open an ftp client (e.g. cyberduck) and connect to your server
Enable Show hidden Files (View-> Show hidden Files Ctrl+Shift+R)
Overwirte the htaccess file that is in the root directory of your wordpress installation

Environment


Wordpress 5.3 on greengeeks with php 7.2
	# Secure HTACCESS wordpress config - https://gist.github.com/JohannesDeml/f714e47d6c6ea885f45f70bd34d927f8

	# BEGIN WordPress
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	</IfModule>
	# END WordPress

	# BEGIN HTTP security settings
	Header set Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
	Header set Content-Security-Policy "default-src 'none'; img-src https://* data:; font-src https://* data:; connect-src 'self'; frame-src https://* 'unsafe-inline'; manifest-src 'self'; object-src 'self'; script-src https://* 'unsafe-inline' 'unsafe-eval'; style-src https://* 'unsafe-inline'; worker-src 'self'; block-all-mixed-content; upgrade-insecure-requests; base-uri 'self'; form-action https://* 'unsafe-inline';"
	Feature-Policy: autoplay 'none'; camera 'none'; document-domain 'self'; encrypted-media 'self'; fullscreen 'self'; geolocation 'none'; microphone 'none'; midi 'none'; payment 'none'; vr 'none';
	Header set Referrer-Policy: same-origin
	Header set X-XSS-Protection: "1; mode=block"
	# END HTTP security settings

	# BEGIN Caching - Source: https://gist.github.com/solancer/a51cf728a119a16f4c6ce494864a2d47
	<IfModule mod_expires.c>

	ExpiresActive on
	ExpiresDefault "access plus 1 month"

	# CSS
	ExpiresByType text/css "access plus 1 year"

	# Data interchange
	ExpiresByType application/atom+xml "access plus 1 hour"
	ExpiresByType application/rdf+xml "access plus 1 hour"
	ExpiresByType application/rss+xml "access plus 1 hour"

	ExpiresByType application/json "access plus 0 seconds"
	ExpiresByType application/ld+json "access plus 0 seconds"
	ExpiresByType application/schema+json "access plus 0 seconds"
	ExpiresByType application/vnd.geo+json "access plus 0 seconds"
	ExpiresByType application/xml "access plus 0 seconds"
	ExpiresByType text/xml "access plus 0 seconds"

	# Favicon (cannot be renamed!) and cursor images
	ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
	ExpiresByType image/x-icon "access plus 1 week"

	# HTML
	ExpiresByType text/html "access plus 0 seconds"

	# JavaScript
	ExpiresByType application/javascript "access plus 1 year"
	ExpiresByType application/x-javascript "access plus 1 year"
	ExpiresByType text/javascript "access plus 1 year"

	# Manifest files
	ExpiresByType application/manifest+json "access plus 1 year"

	ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
	ExpiresByType text/cache-manifest "access plus 0 seconds"

	# Media files
	ExpiresByType audio/ogg "access plus 1 month"
	ExpiresByType image/bmp "access plus 1 month"
	ExpiresByType image/gif "access plus 1 month"
	ExpiresByType image/jpeg "access plus 1 month"
	ExpiresByType image/png "access plus 1 month"
	ExpiresByType image/svg+xml "access plus 1 month"
	ExpiresByType image/webp "access plus 1 month"
	ExpiresByType video/mp4 "access plus 1 month"
	ExpiresByType video/ogg "access plus 1 month"
	ExpiresByType video/webm "access plus 1 month"

	# Web fonts

	# Embedded OpenType (EOT)
	ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
	ExpiresByType font/eot "access plus 1 month"

	# OpenType
	ExpiresByType font/opentype "access plus 1 month"

	# TrueType
	ExpiresByType application/x-font-ttf "access plus 1 month"

	# Web Open Font Format (WOFF) 1.0
	ExpiresByType application/font-woff "access plus 1 month"
	ExpiresByType application/x-font-woff "access plus 1 month"
	ExpiresByType font/woff "access plus 1 month"

	# Web Open Font Format (WOFF) 2.0
	ExpiresByType application/font-woff2 "access plus 1 month"

	# Other
	ExpiresByType text/x-cross-domain-policy "access plus 1 week"

	</IfModule>
	# END Caching