danielstrelec/wp-.htaccess-settings

## wp-.htaccess-settings
# bezpecnostni hlavicky
<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Frame-Options SAMEORIGIN
  Header set X-Content-Type-Options nosniff
  Header set Strict-Transport-Security "max-age=15768000;" env=HTTPS
</IfModule>

# kesovaci hlavicky
<IfModule mod_expires.c>
<FilesMatch "\.(?i:gif|jpe?g|png|js|css|swf|ico|woff|svg)$">
  ExpiresActive on
  ExpiresDefault "access plus 365 days"
</Filesmatch>
</IfModule>

# kesovani souboru
<IfModule mod_headers.c>
<FilesMatch "\.(?i:gif|jpe?g|png|js|css|swf|ico|woff|svg)$">
  Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
</IfModule>

# gzip
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/javascript
</IfModule>

# zakazani vypisu adresaru
Options -Indexes

# oprava nezobrazovani SVG souboru
AddType image/svg+xml .svg .svgz

# presmerovani z HTTP na HTTPS a na verzi s www
#non-www to www (+https)
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,QSA,NE,R=301]

# presmerovani http na https
RewriteCond %{HTTPS} !on
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,QSA,NE,R=301]

# CSP hlavicka - zamezeni mixed content
<IfModule mod_headers.c>
  Header set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>

# osetreni fbclid (Facebook)
RewriteCond %{QUERY_STRING} ^(.*?)(&?fbclid=[a-zA-Z0-9_-]+)$
RewriteRule ^(.*)$ /$1?%1 [L,NE,R=301]

# WP - zamezeni primeho zobrazeni souboru
<files .htaccess>
  Order allow,deny
  Deny from all
</files>
<files readme.html>
  Order allow,deny
  Deny from all
</files>
<files license.txt>
  Order allow,deny
  Deny from all
</files>
<files install.php>
  Order allow,deny
  Deny from all
</files>
<files wp-config.php>
  Order allow,deny
  Deny from all
</files>
<files error_log>
  Order allow,deny
  Deny from all
</files>

# WP - blokovani xmlrpc.php
<FilesMatch "^(xmlrpc\.php)">
  order deny,allow
  deny from all
</FilesMatch>

# WP - blokovani PHP skriptu v uploads
RewriteRule ^(.*)/uploads/(.*)\.php$ - [F]

# WP - zamezeni zjisteni uzivatelu
RewriteCond %{QUERY_STRING} author=
RewriteRule ^(.*)$ - [R=403,NC,L]

# WP - blokovani primych POSTu
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} ^$
RewriteRule ^ - [F,L]
	# bezpecnostni hlavicky
	<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
	Header set Strict-Transport-Security "max-age=15768000;" env=HTTPS
	</IfModule>

	# kesovaci hlavicky
	<IfModule mod_expires.c>
	<FilesMatch "\.(?i:gif\|jpe?g\|png\|js\|css\|swf\|ico\|woff\|svg)$">
	ExpiresActive on
	ExpiresDefault "access plus 365 days"
	</Filesmatch>
	</IfModule>

	# kesovani souboru
	<IfModule mod_headers.c>
	<FilesMatch "\.(?i:gif\|jpe?g\|png\|js\|css\|swf\|ico\|woff\|svg)$">
	Header set Cache-Control "max-age=31536000, public"
	</FilesMatch>
	</IfModule>

	# gzip
	<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/javascript
	</IfModule>

	# zakazani vypisu adresaru
	Options -Indexes

	# oprava nezobrazovani SVG souboru
	AddType image/svg+xml .svg .svgz

	# presmerovani z HTTP na HTTPS a na verzi s www
	#non-www to www (+https)
	RewriteCond %{HTTP_HOST} !^www\. [NC]
	RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,QSA,NE,R=301]

	# presmerovani http na https
	RewriteCond %{HTTPS} !on
	RewriteCond %{HTTP:X-Forwarded-Proto} !=https
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,QSA,NE,R=301]

	# CSP hlavicka - zamezeni mixed content
	<IfModule mod_headers.c>
	Header set Content-Security-Policy "upgrade-insecure-requests;"
	</IfModule>

	# osetreni fbclid (Facebook)
	RewriteCond %{QUERY_STRING} ^(.*?)(&?fbclid=[a-zA-Z0-9_-]+)$
	RewriteRule ^(.*)$ /$1?%1 [L,NE,R=301]

	# WP - zamezeni primeho zobrazeni souboru
	<files .htaccess>
	Order allow,deny
	Deny from all
	</files>
	<files readme.html>
	Order allow,deny
	Deny from all
	</files>
	<files license.txt>
	Order allow,deny
	Deny from all
	</files>
	<files install.php>
	Order allow,deny
	Deny from all
	</files>
	<files wp-config.php>
	Order allow,deny
	Deny from all
	</files>
	<files error_log>
	Order allow,deny
	Deny from all
	</files>

	# WP - blokovani xmlrpc.php
	<FilesMatch "^(xmlrpc\.php)">
	order deny,allow
	deny from all
	</FilesMatch>

	# WP - blokovani PHP skriptu v uploads
	RewriteRule ^(.)/uploads/(.)\.php$ - [F]

	# WP - zamezeni zjisteni uzivatelu
	RewriteCond %{QUERY_STRING} author=
	RewriteRule ^(.*)$ - [R=403,NC,L]

	# WP - blokovani primych POSTu
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{HTTP_REFERER} ^$
	RewriteRule ^ - [F,L]