Last active
January 21, 2023 21:30
-
-
Save RickKukiela/b5b69cddce6d127ecbadbc0f521a27b2 to your computer and use it in GitHub Desktop.
HTACCESS Functions Template
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Set Security Headers | |
| <IfModule mod_headers.c> | |
| # -- START HSTS HEADER SPECIFICATION -- | |
| # UNCOMMENT ONLY ONE | |
| # ------------------ | |
| ## NON-PRELOAD - Initial implementation / testing period (PRELOAD is hard to undo) | |
| #Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" "expr=%{HTTPS} == 'on'" | |
| ## PRELOAD - Use this if you're sure you want to "lock this in" | |
| #Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'" | |
| # -- END HSTS HEADER SPECIFICATION -- | |
| # -- START CSP HEADER CONFIGURATION -- | |
| ## WARNING: Enabling this rule can break the site in various ways if not 100% correct. | |
| ## NOTE: Run spider / bot to get a list of valid sources before enabling this! | |
| #Header always set Content-Security-Policy "default-src 'self' https://www.example.com; \ | |
| #script-src 'self' 'unsafe-inline' https://www.example2.com https://www.example3.com; \ | |
| #style-src 'self' 'unsafe-inline' 'unsafe-hashes' https://www.example.com; \ | |
| #font-src 'self' https://www.example.com; \ | |
| #upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i" | |
| # -- END CSP HEADER CONFIGURATION -- | |
| # Additional Security Headers | |
| Header always set Access-Control-Allow-Origin "Origin" | |
| Header always set Referrer-Policy "strict-origin-when-cross-origin" | |
| Header always set Permissions-Policy "" | |
| Header always set X-Content-Type-Options "nosniff" | |
| Header always set X-Frame-Options "SAMEORIGIN" | |
| Header always set X-XSS-Protection "1; mode=block" | |
| </IfModule> | |
| # Set compression directives | |
| <IfModule mod_deflate.c> | |
| # Compress HTML, CSS, JavaScript, Text, XML and fonts | |
| AddOutputFilterByType DEFLATE application/json | |
| AddOutputFilterByType DEFLATE application/javascript | |
| AddOutputFilterByType DEFLATE application/rss+xml | |
| AddOutputFilterByType DEFLATE application/vnd.ms-fontobject | |
| AddOutputFilterByType DEFLATE application/x-font | |
| AddOutputFilterByType DEFLATE application/x-font-opentype | |
| AddOutputFilterByType DEFLATE application/x-font-otf | |
| AddOutputFilterByType DEFLATE application/x-font-truetype | |
| AddOutputFilterByType DEFLATE application/x-font-ttf | |
| AddOutputFilterByType DEFLATE application/x-javascript | |
| AddOutputFilterByType DEFLATE application/xhtml+xml | |
| AddOutputFilterByType DEFLATE application/xml | |
| AddOutputFilterByType DEFLATE font/opentype | |
| AddOutputFilterByType DEFLATE font/otf | |
| AddOutputFilterByType DEFLATE font/ttf | |
| AddOutputFilterByType DEFLATE image/svg+xml | |
| AddOutputFilterByType DEFLATE image/x-icon | |
| AddOutputFilterByType DEFLATE text/css | |
| AddOutputFilterByType DEFLATE text/html | |
| AddOutputFilterByType DEFLATE text/javascript | |
| AddOutputFilterByType DEFLATE text/plain | |
| AddOutputFilterByType DEFLATE text/xml | |
| # Remove browser bugs (only needed for really old browsers) | |
| BrowserMatch ^Mozilla/4 gzip-only-text/html | |
| BrowserMatch ^Mozilla/4\.0[678] no-gzip | |
| BrowserMatch \bMSIE !no-gzip !gzip-only-text/html | |
| Header append Vary User-Agent | |
| </IfModule> | |
| # Set file caching directives | |
| <IfModule mod_expires.c> | |
| ExpiresActive On | |
| ## ONLY UNCOMMENT LINES THAT APPLY TO CONTENT FOR A GIVEN SITE! | |
| ## PROCESSING LONG .htaccess FILES CAN BE EXPENSIVE | |
| ## AND SLOW DOWN CONTENT DELIVERY! | |
| ## DYNAMIC CONTENT - NO CACHING! | |
| ExpiresByType text/html "access plus 0 seconds" | |
| ExpiresByType text/xml "access plus 0 seconds" | |
| ExpiresByType application/json "access plus 0 seconds" | |
| ## Main Resources | |
| ## NOTE: Cache-Busting plan is REQUIRED for this! | |
| ExpiresByType text/css "access plus 1 year" | |
| ExpiresByType text/javascript "access plus 1 year" | |
| ExpiresByType application/javascript "access plus 1 year" | |
| ExpiresByType application/x-javascript "access plus 1 year" | |
| ## Font files | |
| ## NOTE: Updates to files should have new names otherwise Cache-Busting is required! | |
| ExpiresByType application/font-woff "access plus 1 year" | |
| #ExpiresByType application/vnd.ms-fontobject "access plus 1 year" | |
| #ExpiresByType application/x-font-ttf "access plus 1 year" | |
| ## Image Files | |
| ## NOTE Cache-Busting plan is REQUIRED for this! | |
| #ExpiresByType image/gif "access plus 1 year" | |
| #ExpiresByType image/png "access plus 1 year" | |
| #ExpiresByType image/jpg "access plus 1 year" | |
| #ExpiresByType image/jpeg "access plus 1 year" | |
| #ExpiresByType image/svg+xml "access plus 1 year" | |
| ## Audio / Video Files | |
| ## NOTE: Updates to files should have new names otherwise Cache-Busting is required! | |
| #ExpiresByType audio/flac "access plus 1 year" | |
| #ExpiresByType audio/mpeg "access plus 1 year" | |
| #ExpiresByType audio/ogg "access plus 1 year" | |
| #ExpiresByType audio/mp4 "access plus 1 year" | |
| #ExpiresByType audio/webm "access plus 1 year" | |
| #ExpiresByType audio/x-wav "access plus 1 year" | |
| #ExpiresByType video/avi "access plus 1 year" | |
| #ExpiresByType video/mp4 "access plus 1 year" | |
| #ExpiresByType video/mpeg "access plus 1 year" | |
| #ExpiresByType video/mov "access plus 1 year" | |
| #ExpiresByType video/ogg "access plus 1 year" | |
| #ExpiresByType video/webm "access plus 1 year" | |
| #ExpiresByType video/x-flv "access plus 1 year" | |
| #ExpiresByType video/x-ms-wmv "access plus 1 year" | |
| #ExpiresByType video/x-msvideo "access plus 1 year" | |
| ## Document Files | |
| ## NOTE: Updates to files should have new names otherwise Cache-Busting is required! | |
| #ExpiresByType application/pdf "access plus 1 year" | |
| #ExpiresByType application/msword "access plus 1 year" | |
| #ExpiresByType application/vnd.ms-excel "access plus 1 year" | |
| #ExpiresByType application/vnd.ms-powerpoint "access plus 1 year" | |
| #ExpiresByType application/vnd.openxmlformats-officedocument.wordprocessingml.document "access plus 1 year" | |
| #ExpiresByType application/vnd.openxmlformats-officedocument.spreadsheetml.sheet "access plus 1 year" | |
| #ExpiresByType application/vnd.openxmlformats-officedocument.presentationml.presentation "access plus 1 year" | |
| #ExpiresByType application/x-autocad "access plus 1 year" | |
| #ExpiresByType application/x-dwg "access plus 1 year" | |
| #ExpiresByType application/x-dxf "access plus 1 year" | |
| </IfModule> | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| # Force HTTPS | |
| RewriteCond %{HTTPS} !=on | |
| RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ | |
| RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[\w-]+$ | |
| RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ | |
| RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | |
| # ENV Setup for forcing www/non-www | |
| RewriteCond %{HTTPS} =on | |
| RewriteRule ^ - [E=PROTO:https] | |
| RewriteCond %{HTTPS} !=on | |
| RewriteRule ^ - [E=PROTO:http] | |
| # Force www. (Uncomment below to force www subdomain) (Never use with suppress www. below) | |
| #RewriteCond %{HTTP_HOST} !^www\. [NC] | |
| #RewriteCond %{SERVER_ADDR} !=127.0.0.1 | |
| #RewriteCond %{SERVER_ADDR} !=::1 | |
| #RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | |
| # Suppressing www. (Uncomment below to suppress www.) (Never use with force www. above) | |
| #RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] | |
| #RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L] | |
| </IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment