devellopah/.htaccess

## .htaccess

<IfModule mod_rewrite.c>
  #Close the listing of files and folders
  Options +FollowSymLinks -Indexes

  #Activate mod_rewrite extension
  RewriteEngine On

  #### @RS
  # Block out any script trying to base64_encode data within the URL.
  RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
  # Block out any script that includes a <script> tag in URL.
  RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
  # Block out any script trying to set a PHP GLOBALS variable via URL.
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
  # Block out any script trying to modify a _REQUEST variable via URL.
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
  # Return 403 Forbidden header and show the content of the root homepage
  RewriteRule .* index.php [F]
  #### @RS

  #### @RS
  #Rewrite rules to block out some common exploits.
  RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
  RewriteRule ^(.*)$ index.php [F,L]
  #### @RS

  #### @RS
  # Deny access to php, xml and ini files
  # within components and plugins directories
  RewriteCond %{REQUEST_FILENAME} -f
  RewriteCond %{REQUEST_URI} \.php|\.ini|\.xml [NC]
  RewriteCond %{REQUEST_URI} \/components\/ [OR]
  RewriteCond %{REQUEST_URI} ^\/includes\/|^\/administrator\/includes\/ [OR]
  RewriteCond %{REQUEST_URI} \/language\/ [OR]
  RewriteCond %{REQUEST_URI} \/libraries\/ [OR]
  RewriteCond %{REQUEST_URI} \/modules\/ [OR]
  RewriteCond %{REQUEST_URI} \/plugins\/ [OR]
  RewriteCond %{REQUEST_URI} \/templates\/ [OR]
  RewriteCond %{REQUEST_URI} \/xmlrpc\/
  RewriteRule ^(.*)$ index.php [R=404,L]
  #### @RS

  #### @RS
  # Prevent most common SQL-Injections
  RewriteCond %{query_string} concat.*\( [NC,OR]
  RewriteCond %{query_string} union.*select.*\( [NC,OR]
  RewriteCond %{query_string} union.*all.*select [NC]
  RewriteRule ^(.*)$ index.php [F,L]
  #### @RS

  #### @RS
  RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  # If the requested path and file is not /index.php and the request
  # has not already been internally rewritten to the index.php script
  RewriteCond %{REQUEST_URI} !^/index\.php
  # and the request is for something within the component folder,
  # or for the site root, or for an extensionless URL, or the
  # requested URL ends with one of the listed extensions
  RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]
  # and the requested path and file doesn't directly match a physical file
  RewriteCond %{REQUEST_FILENAME} !-f
  # and the requested path and file doesn't directly match a physical folder
  RewriteCond %{REQUEST_FILENAME} !-d
  # internally rewrite the request to the index.php script
  RewriteRule . /index.php [L]
  #### @RS

  #### @RS
  #PREVENT IMAGE HOTLINKING
  RewriteCond %{HTTP_REFERER} !^$
  RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
  RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
  RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
  RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
  RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
#### @RS
</IfModule>

<IfModule mod_setenvif.c>
  #### @RS
  # Block most common hacking tools
  SetEnvIf user-agent "Indy Library" stayout=1
  SetEnvIf user-agent "libwww-perl" stayout=1
  SetEnvIf user-agent "Wget" stayout=1
  deny from env=stayout
  #### @RS
</IfModule>

<IfModule mod_deflate.c>
  # force compression for clients that mangle 'Accept-Encoding' request headers
  <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
      SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
      RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    </IfModule>
  </IfModule>

  # compress all output with one of the following file extensions
  <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE "application/atom+xml" \
                                  "application/javascript" \
                                  "application/json" \
                                  "application/ld+json" \
                                  "application/manifest+json" \
                                  "application/rdf+xml" \
                                  "application/rss+xml" \
                                  "application/schema+json" \
                                  "application/geo+json" \
                                  "application/vnd.ms-fontobject" \
                                  "application/wasm" \
                                  "application/x-font-ttf" \
                                  "application/x-javascript" \
                                  "application/x-web-app-manifest+json" \
                                  "application/xhtml+xml" \
                                  "application/xml" \
                                  "font/eot" \
                                  "font/opentype" \
                                  "font/otf" \
                                  "font/ttf" \
                                  "image/bmp" \
                                  "image/svg+xml" \
                                  "image/vnd.microsoft.icon" \
                                  "text/cache-manifest" \
                                  "text/calendar" \
                                  "text/css" \
                                  "text/html" \
                                  "text/javascript" \
                                  "text/plain" \
                                  "text/markdown" \
                                  "text/vcard" \
                                  "text/vnd.rim.location.xloc" \
                                  "text/vtt" \
                                  "text/x-component" \
                                  "text/x-cross-domain-policy" \
                                  "text/xml"
  </IfModule>

  # define and map media types to their appropriate encoding type
  # Using SVG format (Scalable Vector Graphics) is highly recommended to
  # load logos, icons, text, and simple images. You can compress .SVG files
  # further using GZIP to create .SVGZ files. However, most browsers don’t
  # know that they need to decompress them first if they’re not served
  # without an appropriate ‘content-encoding’ HTTP response header. Thus,
  # these images wouldn’t show up in the browser. Hence, this module.

  <IfModule mod_mime.c>
    AddType image/svg+xml svg svgz
    AddEncoding gzip svgz
  </IfModule>

</IfModule>

<IfModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_include handler ^cgi-script$
</IfModule>

<IfModule mod_expires.c>
  # Enable expiration control
  ExpiresActive On

  # Default expiration: 1 hour after request
  ExpiresDefault "now plus 1 hour"

  # CSS and JS expiration: 1 week after request
  ExpiresByType text/css "now plus 1 week"
  ExpiresByType application/javascript "now plus 1 week"
  ExpiresByType application/x-javascript "now plus 1 week"

  # Image files expiration: 1 month after request
  ExpiresByType image/bmp "now plus 1 month"
  ExpiresByType image/gif "now plus 1 month"
  ExpiresByType image/jpeg "now plus 1 month"
  ExpiresByType image/jp2 "now plus 1 month"
  ExpiresByType image/pipeg "now plus 1 month"
  ExpiresByType image/png "now plus 1 month"
  ExpiresByType image/svg+xml "now plus 1 month"
  ExpiresByType image/tiff "now plus 1 month"
  ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
  ExpiresByType image/x-icon "now plus 1 month"
  ExpiresByType image/ico "now plus 1 month"
  ExpiresByType image/icon "now plus 1 month"
  ExpiresByType text/ico "now plus 1 month"
  ExpiresByType application/ico "now plus 1 month"
  ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
  ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
  ExpiresByType application/smil "now plus 1 month"

  # Audio files expiration: 1 month after request
  ExpiresByType audio/basic "now plus 1 month"
  ExpiresByType audio/mid "now plus 1 month"
  ExpiresByType audio/midi "now plus 1 month"
  ExpiresByType audio/mpeg "now plus 1 month"
  ExpiresByType audio/x-aiff "now plus 1 month"
  ExpiresByType audio/x-mpegurl "now plus 1 month"
  ExpiresByType audio/x-pn-realaudio "now plus 1 month"
  ExpiresByType audio/x-wav "now plus 1 month"

  # Movie files expiration: 1 month after request
  ExpiresByType application/x-shockwave-flash "now plus 1 month"
  ExpiresByType x-world/x-vrml "now plus 1 month"
  ExpiresByType video/x-msvideo "now plus 1 month"
  ExpiresByType video/mpeg "now plus 1 month"
  ExpiresByType video/mp4 "now plus 1 month"
  ExpiresByType video/quicktime "now plus 1 month"
  ExpiresByType video/x-la-asf "now plus 1 month"
  ExpiresByType video/x-ms-asf "now plus 1 month"
</IfModule>
########## End - Optimal expiration time

<IfModule mod_headers.c>
  <FilesMatch "\.(js|css|xml|gz)$">
    Header append Vary: Accept-Encoding
  </FilesMatch>
</IfModule>

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
  Order deny,allow
  Deny from all
</FilesMatch>
<FilesMatch "^(readme.html|license.txt)">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

<FilesMatch "^(xmlrpc\.php)">
  Order deny,allow
  Deny from all
</FilesMatch>

# START ENABLE KEEP ALIVE
<ifModule mod_headers.c>
Header set Connection keep-alive
</ifModule>
# END ENABLE KEEP ALIVE

# block humans.txt scans
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC]
	RewriteRule .* - [F,L]
</IfModule>

Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always append X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy: "no-referrer-when-downgrade"

AddDefaultCharset utf-8

	<IfModule mod_rewrite.c>
	#Close the listing of files and folders
	Options +FollowSymLinks -Indexes

	#Activate mod_rewrite extension
	RewriteEngine On

	#### @RS
	# Block out any script trying to base64_encode data within the URL.
	RewriteCond %{QUERY_STRING} base64_encode[^(]\([^)]\) [OR]
	# Block out any script that includes a <script> tag in URL.
	RewriteCond %{QUERY_STRING} (<\|%3C)([^s]s)+cript.(>\|%3E) [NC,OR]
	# Block out any script trying to set a PHP GLOBALS variable via URL.
	RewriteCond %{QUERY_STRING} GLOBALS(=\|\[\|\%[0-9A-Z]{0,2}) [OR]
	# Block out any script trying to modify a _REQUEST variable via URL.
	RewriteCond %{QUERY_STRING} _REQUEST(=\|\[\|\%[0-9A-Z]{0,2})
	# Return 403 Forbidden header and show the content of the root homepage
	RewriteRule .* index.php [F]
	#### @RS

	#### @RS
	#Rewrite rules to block out some common exploits.
	RewriteCond %{QUERY_STRING} (<\|%3C).script.(>\|%3E) [NC,OR]
	RewriteCond %{QUERY_STRING} GLOBALS(=\|[\|%[0-9A-Z]{0,2}) [OR]
	RewriteCond %{QUERY_STRING} _REQUEST(=\|[\|%[0-9A-Z]{0,2})
	RewriteRule ^(.*)$ index.php [F,L]
	#### @RS

	#### @RS
	# Deny access to php, xml and ini files
	# within components and plugins directories
	RewriteCond %{REQUEST_FILENAME} -f
	RewriteCond %{REQUEST_URI} \.php\|\.ini\|\.xml [NC]
	RewriteCond %{REQUEST_URI} \/components\/ [OR]
	RewriteCond %{REQUEST_URI} ^\/includes\/\|^\/administrator\/includes\/ [OR]
	RewriteCond %{REQUEST_URI} \/language\/ [OR]
	RewriteCond %{REQUEST_URI} \/libraries\/ [OR]
	RewriteCond %{REQUEST_URI} \/modules\/ [OR]
	RewriteCond %{REQUEST_URI} \/plugins\/ [OR]
	RewriteCond %{REQUEST_URI} \/templates\/ [OR]
	RewriteCond %{REQUEST_URI} \/xmlrpc\/
	RewriteRule ^(.*)$ index.php [R=404,L]
	#### @RS

	#### @RS
	# Prevent most common SQL-Injections
	RewriteCond %{query_string} concat.*\( [NC,OR]
	RewriteCond %{query_string} union.select.\( [NC,OR]
	RewriteCond %{query_string} union.all.select [NC]
	RewriteRule ^(.*)$ index.php [F,L]
	#### @RS

	#### @RS
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	# If the requested path and file is not /index.php and the request
	# has not already been internally rewritten to the index.php script
	RewriteCond %{REQUEST_URI} !^/index\.php
	# and the request is for something within the component folder,
	# or for the site root, or for an extensionless URL, or the
	# requested URL ends with one of the listed extensions
	RewriteCond %{REQUEST_URI} /component/\|(/[^.]*\|\.(php\|html?\|feed\|pdf\|vcf\|raw))$ [NC]
	# and the requested path and file doesn't directly match a physical file
	RewriteCond %{REQUEST_FILENAME} !-f
	# and the requested path and file doesn't directly match a physical folder
	RewriteCond %{REQUEST_FILENAME} !-d
	# internally rewrite the request to the index.php script
	RewriteRule . /index.php [L]
	#### @RS

	#### @RS
	#PREVENT IMAGE HOTLINKING
	RewriteCond %{HTTP_REFERER} !^$
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
	RewriteRule \.(jpg\|jpeg\|png\|gif)$ – [NC,F,L]
	#### @RS
	</IfModule>

	<IfModule mod_setenvif.c>
	#### @RS
	# Block most common hacking tools
	SetEnvIf user-agent "Indy Library" stayout=1
	SetEnvIf user-agent "libwww-perl" stayout=1
	SetEnvIf user-agent "Wget" stayout=1
	deny from env=stayout
	#### @RS
	</IfModule>

	<IfModule mod_deflate.c>
	# force compression for clients that mangle 'Accept-Encoding' request headers
	<IfModule mod_setenvif.c>
	<IfModule mod_headers.c>
	SetEnvIfNoCase ^(Accept-EncodXng\|X-cept-Encoding\|X{15}\|~{15}\|-{15})$ ^((gzip\|deflate)\s,?\s)+\|[X~-]{4,13}$ HAVE_Accept-Encoding
	RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
	</IfModule>
	</IfModule>

	# compress all output with one of the following file extensions
	<IfModule mod_filter.c>
	AddOutputFilterByType DEFLATE "application/atom+xml" \
	"application/javascript" \
	"application/json" \
	"application/ld+json" \
	"application/manifest+json" \
	"application/rdf+xml" \
	"application/rss+xml" \
	"application/schema+json" \
	"application/geo+json" \
	"application/vnd.ms-fontobject" \
	"application/wasm" \
	"application/x-font-ttf" \
	"application/x-javascript" \
	"application/x-web-app-manifest+json" \
	"application/xhtml+xml" \
	"application/xml" \
	"font/eot" \
	"font/opentype" \
	"font/otf" \
	"font/ttf" \
	"image/bmp" \
	"image/svg+xml" \
	"image/vnd.microsoft.icon" \
	"text/cache-manifest" \
	"text/calendar" \
	"text/css" \
	"text/html" \
	"text/javascript" \
	"text/plain" \
	"text/markdown" \
	"text/vcard" \
	"text/vnd.rim.location.xloc" \
	"text/vtt" \
	"text/x-component" \
	"text/x-cross-domain-policy" \
	"text/xml"
	</IfModule>

	# define and map media types to their appropriate encoding type
	# Using SVG format (Scalable Vector Graphics) is highly recommended to
	# load logos, icons, text, and simple images. You can compress .SVG files
	# further using GZIP to create .SVGZ files. However, most browsers don’t
	# know that they need to decompress them first if they’re not served
	# without an appropriate ‘content-encoding’ HTTP response header. Thus,
	# these images wouldn’t show up in the browser. Hence, this module.

	<IfModule mod_mime.c>
	AddType image/svg+xml svg svgz
	AddEncoding gzip svgz
	</IfModule>

	</IfModule>

	<IfModule mod_gzip.c>
	mod_gzip_on Yes
	mod_gzip_dechunk Yes
	mod_gzip_item_include file \.(html?\|txt\|css\|js\|php\|pl)$
	mod_gzip_item_include mime ^application/x-javascript.*
	mod_gzip_item_include mime ^text/.*
	mod_gzip_item_exclude rspheader ^Content-Encoding:.gzip.
	mod_gzip_item_exclude mime ^image/.*
	mod_gzip_item_include handler ^cgi-script$
	</IfModule>

	<IfModule mod_expires.c>
	# Enable expiration control
	ExpiresActive On

	# Default expiration: 1 hour after request
	ExpiresDefault "now plus 1 hour"

	# CSS and JS expiration: 1 week after request
	ExpiresByType text/css "now plus 1 week"
	ExpiresByType application/javascript "now plus 1 week"
	ExpiresByType application/x-javascript "now plus 1 week"

	# Image files expiration: 1 month after request
	ExpiresByType image/bmp "now plus 1 month"
	ExpiresByType image/gif "now plus 1 month"
	ExpiresByType image/jpeg "now plus 1 month"
	ExpiresByType image/jp2 "now plus 1 month"
	ExpiresByType image/pipeg "now plus 1 month"
	ExpiresByType image/png "now plus 1 month"
	ExpiresByType image/svg+xml "now plus 1 month"
	ExpiresByType image/tiff "now plus 1 month"
	ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
	ExpiresByType image/x-icon "now plus 1 month"
	ExpiresByType image/ico "now plus 1 month"
	ExpiresByType image/icon "now plus 1 month"
	ExpiresByType text/ico "now plus 1 month"
	ExpiresByType application/ico "now plus 1 month"
	ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
	ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
	ExpiresByType application/smil "now plus 1 month"

	# Audio files expiration: 1 month after request
	ExpiresByType audio/basic "now plus 1 month"
	ExpiresByType audio/mid "now plus 1 month"
	ExpiresByType audio/midi "now plus 1 month"
	ExpiresByType audio/mpeg "now plus 1 month"
	ExpiresByType audio/x-aiff "now plus 1 month"
	ExpiresByType audio/x-mpegurl "now plus 1 month"
	ExpiresByType audio/x-pn-realaudio "now plus 1 month"
	ExpiresByType audio/x-wav "now plus 1 month"

	# Movie files expiration: 1 month after request
	ExpiresByType application/x-shockwave-flash "now plus 1 month"
	ExpiresByType x-world/x-vrml "now plus 1 month"
	ExpiresByType video/x-msvideo "now plus 1 month"
	ExpiresByType video/mpeg "now plus 1 month"
	ExpiresByType video/mp4 "now plus 1 month"
	ExpiresByType video/quicktime "now plus 1 month"
	ExpiresByType video/x-la-asf "now plus 1 month"
	ExpiresByType video/x-ms-asf "now plus 1 month"
	</IfModule>
	########## End - Optimal expiration time

	<IfModule mod_headers.c>
	<FilesMatch "\.(js\|css\|xml\|gz)$">
	Header append Vary: Accept-Encoding
	</FilesMatch>
	</IfModule>

	<FilesMatch "^.(error_log\|wp-config\.php\|php.ini\|\.[hH][tT][aApP].)$">
	Order deny,allow
	Deny from all
	</FilesMatch>
	<FilesMatch "^(readme.html\|license.txt)">
	Order allow,deny
	Deny from all
	Satisfy All
	</FilesMatch>

	<FilesMatch "^(xmlrpc\.php)">
	Order deny,allow
	Deny from all
	</FilesMatch>

	# START ENABLE KEEP ALIVE
	<ifModule mod_headers.c>
	Header set Connection keep-alive
	</ifModule>
	# END ENABLE KEEP ALIVE

	# block humans.txt scans
	<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} http\:\/\/www\.google\.com\/humans\.txt\? [NC]
	RewriteRule .* - [F,L]
	</IfModule>

	Header always set Strict-Transport-Security: "max-age=31536000" env=HTTPS
	Header always set Content-Security-Policy "upgrade-insecure-requests"
	Header always set X-Content-Type-Options "nosniff"
	Header always set X-XSS-Protection "1; mode=block"
	Header always set Expect-CT "max-age=7776000, enforce"
	Header always append X-Frame-Options SAMEORIGIN
	Header always set Referrer-Policy: "no-referrer-when-downgrade"

	AddDefaultCharset utf-8