Last active
September 10, 2023 02:37
-
-
Save joostvanveen/bcce49db29e33268771c to your computer and use it in GitHub Desktop.
.htaccess Security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
###################################################################### | |
## Word to the wise ## | |
## It is best to keep your htaccess files as clean as possible ## | |
## and set as many specs in your Apache config as you can. ## | |
## Htaccess slows down Apache. ## | |
## Review the entire file before use, especially the TODO sections. ## | |
###################################################################### | |
Options -MultiViews | |
Options +FollowSymLinks | |
# Disable PHP errors on production | |
# TODO: uncomment at will | |
# php_flag display_startup_errors off | |
# php_flag display_errors off | |
# php_flag html_errors off | |
# php_value docref_root 0 | |
# php_value docref_ext 0 | |
# Disable the server signature | |
ServerSignature Off | |
# Disable directory browsing | |
Options All -Indexes | |
# Rewrite section | |
RewriteEngine on | |
# Canonical rewrite non-www version to www, to avoid duplicate content issues | |
# TODO: substitute MYDOMAIN.COM | |
RewriteCond %{HTTP_HOST} ^MYDOMAIN\.COM$ [NC] | |
RewriteRule ^(.*)$ https://www.MYDOMAIN.COM/$1 [R=301,L] | |
# Force SSL for SEO purposes | |
RewriteCond %{HTTP_HOST} ^www\.MYDOMAIN\.COM$ [NC] | |
RewriteCond %{SERVER_PORT} 80 | |
RewriteRule ^(.*)$ https://www.MYDOMAIN.COM/$1 [R=301,L] | |
# Rewrite index.php to /, to avoid duplicate content issues | |
RewriteCond %{THE_REQUEST} ^.*/index\.php | |
RewriteRule ^(.*)index.php$ http://%{HTTP_HOST}/$1 [R=301,L] | |
# Throw a 403 forbidden on common brute force URIs | |
# TODO: Uncomment appropriate uris and add more to your liking | |
# RedirectMatch 403 ^/admin$ | |
# RedirectMatch 403 ^/administrator$ | |
# RedirectMatch 403 ^/wp-admin$ | |
# RedirectMatch 403 ^/wp-login.php$ | |
# RedirectMatch 403 ^/install.php$ | |
# RedirectMatch 403 ^/viewtopic.php$ | |
# Add 301 redirects using wildcard matching | |
# RedirectMatch 301 old-news-articles/(.*) /news | |
# Add 301 literal redirects for mapping old URLs to new ones | |
# Redirect 301 /my-old-url /my-new/url | |
# Pretty URLs | |
RewriteCond %{REQUEST_FILENAME} !-d | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteRule ^ index.php [L] | |
# End of Rewrite section | |
# Enable fonts loading from cross-origin recourse | |
Header add Access-Control-Allow-Origin "*" | |
# Disable browsers from being able to validate files, to improve speed | |
Header unset ETag | |
FileETag None | |
# End of Disable browsers from being able to validate files | |
# Set compression to reduce bandwith | |
<IfModule mod_deflate.c> | |
SetOutputFilter DEFLATE | |
# Don't compress images | |
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary | |
AddOutputFilterByType DEFLATE text/plain | |
AddOutputFilterByType DEFLATE text/html | |
AddOutputFilterByType DEFLATE text/xml | |
AddOutputFilterByType DEFLATE text/css | |
AddOutputFilterByType DEFLATE application/xml | |
AddOutputFilterByType DEFLATE application/xhtml+xml | |
AddOutputFilterByType DEFLATE application/rss+xml | |
AddOutputFilterByType DEFLATE application/javascript | |
AddOutputFilterByType DEFLATE application/x-javascript | |
</IfModule> | |
# End of Set compression | |
# Set browser caching to reduce http requests | |
<IfModule mod_expires.c> | |
ExpiresActive On | |
ExpiresByType image/jpg "access plus 1 month" | |
ExpiresByType image/jpeg "access plus 1 month" | |
ExpiresByType image/gif "access plus 1 month" | |
ExpiresByType image/png "access plus 1 month" | |
ExpiresByType text/css "access 1 month" | |
ExpiresByType application/javascript "access plus 1 month" | |
ExpiresByType image/x-icon "access plus 1 year" | |
ExpiresDefault "access plus 1 month" | |
</IfModule> | |
# End of set browser caching | |
<Files .htaccess> | |
Order Allow,Deny | |
Deny from all | |
</Files> |
@TVBZ I totally forgot this gist existed :)
I just added forcing SSL for fun and pleasure.
# Canonical rewrite non-www version to www, to avoid duplicate content issues
# TODO: substitute MYDOMAIN.COM
RewriteCond %{HTTP_HOST} ^MYDOMAIN\.COM$ [NC]
RewriteRule ^(.*)$ https://www.MYDOMAIN.COM/$1 [R=301,L]
# Force SSL for SEO purposes
RewriteCond %{HTTP_HOST} ^www\.MYDOMAIN\.COM$ [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.MYDOMAIN.COM/$1 [R=301,L]
:) Great. I was looking over it and thought I could fill in the gap for you on the # TODO: substitute MYDOMAIN.COM
Hey my friend,
I need some help with your script, I installed it on some of my clients' sites but the admin panel login can't login, is there any command I can put to use your code and login work?
Thank you very much
Hey my friend,
I need some help with your script, I installed it on some of my clients' sites but the admin panel login can't login, is there any command I can put to use your code and login work?
Thank you very much
- Check your webserver. A .htaccess file only works on Apache webservers.
- Check your application. This .htaccess file only works on platforms that use 'pretty' URLs, like /admin/login.
if these check out, remove one line at a time and see when it starts working :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For canonical rewrite on line 31 & 32:
Cheers! :)