Skip to content

Instantly share code, notes, and snippets.

@RickKukiela
Last active January 21, 2023 21:30
Show Gist options
  • Save RickKukiela/b5b69cddce6d127ecbadbc0f521a27b2 to your computer and use it in GitHub Desktop.
Save RickKukiela/b5b69cddce6d127ecbadbc0f521a27b2 to your computer and use it in GitHub Desktop.
HTACCESS Functions Template
# Set Security Headers
<IfModule mod_headers.c>
# -- START HSTS HEADER SPECIFICATION --
# UNCOMMENT ONLY ONE
# ------------------
## NON-PRELOAD - Initial implementation / testing period (PRELOAD is hard to undo)
#Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" "expr=%{HTTPS} == 'on'"
## PRELOAD - Use this if you're sure you want to "lock this in"
#Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
# -- END HSTS HEADER SPECIFICATION --
# -- START CSP HEADER CONFIGURATION --
## WARNING: Enabling this rule can break the site in various ways if not 100% correct.
## NOTE: Run spider / bot to get a list of valid sources before enabling this!
#Header always set Content-Security-Policy "default-src 'self' https://www.example.com; \
#script-src 'self' 'unsafe-inline' https://www.example2.com https://www.example3.com; \
#style-src 'self' 'unsafe-inline' 'unsafe-hashes' https://www.example.com; \
#font-src 'self' https://www.example.com; \
#upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
# -- END CSP HEADER CONFIGURATION --
# Additional Security Headers
Header always set Access-Control-Allow-Origin "Origin"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy ""
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
</IfModule>
# Set compression directives
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
# Set file caching directives
<IfModule mod_expires.c>
ExpiresActive On
## ONLY UNCOMMENT LINES THAT APPLY TO CONTENT FOR A GIVEN SITE!
## PROCESSING LONG .htaccess FILES CAN BE EXPENSIVE
## AND SLOW DOWN CONTENT DELIVERY!
## DYNAMIC CONTENT - NO CACHING!
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType application/json "access plus 0 seconds"
## Main Resources
## NOTE: Cache-Busting plan is REQUIRED for this!
ExpiresByType text/css "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
## Font files
## NOTE: Updates to files should have new names otherwise Cache-Busting is required!
ExpiresByType application/font-woff "access plus 1 year"
#ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
#ExpiresByType application/x-font-ttf "access plus 1 year"
## Image Files
## NOTE Cache-Busting plan is REQUIRED for this!
#ExpiresByType image/gif "access plus 1 year"
#ExpiresByType image/png "access plus 1 year"
#ExpiresByType image/jpg "access plus 1 year"
#ExpiresByType image/jpeg "access plus 1 year"
#ExpiresByType image/svg+xml "access plus 1 year"
## Audio / Video Files
## NOTE: Updates to files should have new names otherwise Cache-Busting is required!
#ExpiresByType audio/flac "access plus 1 year"
#ExpiresByType audio/mpeg "access plus 1 year"
#ExpiresByType audio/ogg "access plus 1 year"
#ExpiresByType audio/mp4 "access plus 1 year"
#ExpiresByType audio/webm "access plus 1 year"
#ExpiresByType audio/x-wav "access plus 1 year"
#ExpiresByType video/avi "access plus 1 year"
#ExpiresByType video/mp4 "access plus 1 year"
#ExpiresByType video/mpeg "access plus 1 year"
#ExpiresByType video/mov "access plus 1 year"
#ExpiresByType video/ogg "access plus 1 year"
#ExpiresByType video/webm "access plus 1 year"
#ExpiresByType video/x-flv "access plus 1 year"
#ExpiresByType video/x-ms-wmv "access plus 1 year"
#ExpiresByType video/x-msvideo "access plus 1 year"
## Document Files
## NOTE: Updates to files should have new names otherwise Cache-Busting is required!
#ExpiresByType application/pdf "access plus 1 year"
#ExpiresByType application/msword "access plus 1 year"
#ExpiresByType application/vnd.ms-excel "access plus 1 year"
#ExpiresByType application/vnd.ms-powerpoint "access plus 1 year"
#ExpiresByType application/vnd.openxmlformats-officedocument.wordprocessingml.document "access plus 1 year"
#ExpiresByType application/vnd.openxmlformats-officedocument.spreadsheetml.sheet "access plus 1 year"
#ExpiresByType application/vnd.openxmlformats-officedocument.presentationml.presentation "access plus 1 year"
#ExpiresByType application/x-autocad "access plus 1 year"
#ExpiresByType application/x-dwg "access plus 1 year"
#ExpiresByType application/x-dxf "access plus 1 year"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
# Force HTTPS
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[\w-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# ENV Setup for forcing www/non-www
RewriteCond %{HTTPS} =on
RewriteRule ^ - [E=PROTO:https]
RewriteCond %{HTTPS} !=on
RewriteRule ^ - [E=PROTO:http]
# Force www. (Uncomment below to force www subdomain) (Never use with suppress www. below)
#RewriteCond %{HTTP_HOST} !^www\. [NC]
#RewriteCond %{SERVER_ADDR} !=127.0.0.1
#RewriteCond %{SERVER_ADDR} !=::1
#RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Suppressing www. (Uncomment below to suppress www.) (Never use with force www. above)
#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
#RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
</IfModule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment