Skip to content

Instantly share code, notes, and snippets.

@eusonlito

eusonlito/.htaccess

Created February 4, 2020 15:17
Show Gist options
  • Save eusonlito/f4204316de4e733c5c0f85940258e256 to your computer and use it in GitHub Desktop.
Save eusonlito/f4204316de4e733c5c0f85940258e256 to your computer and use it in GitHub Desktop.
Download ZIP
Accept all CORS requests on Apache and nginx. Improve website performance accepting all OPTIONS requests.
Raw
.htaccess
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
# Allow Access Control Headers
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET,PUT,POST,DELETE,PATCH,OPTIONS"
Header set Access-Control-Allow-Headers "Accept, Accept-Datetime, Accept-Language, App-Version, Authorization, Cache-Control, Content-Type, Date, Device-Token, Location, Origin, Time-Zone, User-Agent, X-Requested-With"
Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Max-Age "86400"
RewriteEngine On
# Accept all OPTIONS requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* empty.html [NC,L]
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
Raw
cross-domain-insecure.conf
# Cross domain AJAX requests
# http://www.w3.org/TR/cors/#access-control-allow-origin-response-header
# **Security Warning**
# Do not use this without understanding the consequences.
# This will permit access from any other website.
#
add_header 'X-Frame-Options' 'SAMEORIGIN' always;
add_header 'X-XSS-Protection' '1; mode=block' always;
add_header 'X-Content-Type-Options' 'nosniff' always;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Type, Origin, User-Agent, X-Requested-With' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Expose-Headers' 'Content-Disposition' always;
Raw
nginx.conf
server {
listen 443 ssl http2;
server_name domain.com;
root /var/www/domain.com/public;
index index.html index.php;
try_files $uri $uri/ /index.php?$query_string;
location ~ \.php$ {
if ($request_method = 'OPTIONS') {
include snippets/cross-domain-insecure.conf;
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'GET') {
include snippets/cross-domain-insecure.conf;
}
if ($request_method = 'POST') {
include snippets/cross-domain-insecure.conf;
}
if ($request_method = 'PUT') {
include snippets/cross-domain-insecure.conf;
}
if ($request_method = 'PATCH') {
include snippets/cross-domain-insecure.conf;
}
if ($request_method = 'DELETE') {
include snippets/cross-domain-insecure.conf;
}
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_read_timeout 300;
include fastcgi_params;
}
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
access_log /var/log/nginx/domain.com_access.log;
error_log /var/log/nginx/domain.com_error.log;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment