Skip to content

Instantly share code, notes, and snippets.

@qodeninja

qodeninja/htaccess.log

Last active January 8, 2022 18:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save qodeninja/8e8f2c0207ecccab774409ddf0c4377a to your computer and use it in GitHub Desktop.
Save qodeninja/8e8f2c0207ecccab774409ddf0c4377a to your computer and use it in GitHub Desktop.
Download ZIP
.htaccess template for when you're doing apache/wp/php stuff
Raw
htaccess.log
# By @JAKKVEGA
# remove and change the stuff you don't need. These are only
# here for reference and not to be used OOB
# ----------------------------------------------------------------------
# General
# ----------------------------------------------------------------------
# disable the server signature
ServerSignature Off
# set the default language
DefaultLanguage en-US
# set the server timezone
SetEnv TZ America/Los_Angeles
# ----------------------------------------------------------------------
# UTF-8 encoding
# ----------------------------------------------------------------------
# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset utf-8
# Force UTF-8 for a number of file formats
AddCharset utf-8 .css .js .json .rss .xml
# ----------------------------------------------------------------------
# Security
# ----------------------------------------------------------------------
# "strong" htaccess protection
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order allow,deny
Deny from all
Satisfy all
</Files>
# block access to bak and source files
# edit this if you need more or less
<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
#! block php execution in certain folders (place in directory)
# <Files *.php>
# deny from all
# </Files>
<IfModule mod_headers.c>
Header set Cache-Control "no-transform"
</IfModule>
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
<IfModule mod_headers.c>
# X-XSS-Protection
Header set X-XSS-Protection "1; mode=block"
# X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"
# X-Content-Type-Options
Header set X-Content-Type-Options "nosniff"
# Strict-Transport-Security
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
# Referrer-Policy
Header set Referrer-Policy "same-origin"
# Feature-Policy
# Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
# Content-Security-Policy - Examples
# Header set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' https://code.jquery.com; style-src 'self'"
Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;"
</IfModule>
# ----------------------------------------------------------------------
# Errors
# ----------------------------------------------------------------------
# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the
# same name does not exist.
# webmasterworld.com/apache/3808792.htm
Options -MultiViews
# these are just starters. change these as needed
ErrorDocument 404 /error.html
ErrorDocument 403 /error.html
ErrorDocument 401 /error.html
ErrorDocument 500 /error.html
# ----------------------------------------------------------------------
# CORS
# ----------------------------------------------------------------------
# enable cross origin for static media assets
# developer.mozilla.org/en/CORS_Enabled_Image
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
# mod_headers, y u no match by Content-Type?!
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
</FilesMatch>
</IfModule>
</IfModule>
# allow third party webfonts to CORS
<IfModule mod_headers.c>
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
# ----------------------------------------------------------------------
# MIME TYES
# ----------------------------------------------------------------------
<IfModule mod_mime.c>
# JavaScript
AddType application/javascript js jsonp
AddType application/json json
AddType text/css css
# Audio
AddType audio/ogg oga ogg
AddType audio/mp4 m4a f4a f4b
# Video
AddType video/ogg ogv
AddType video/mp4 mp4 m4v f4v f4p
AddType video/webm webm
AddType video/x-flv flv
# SVG
# Required for svg webfonts on iPad
# twitter.com/FontSquirrel/status/14855840545
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
AddType application/x-gzip gz gzip
AddType application/zip zip
AddType application/x-7z-compressed 7z
application/x-tar tar
# Webfonts
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttf ttc
AddType font/opentype otf
AddType application/x-font-woff woff
# Image types
AddType image/x-icon ico
AddType image/webp webp
AddType image/gif gif
AddType image/jpeg jpg jpeg jfif
AddType image/png png
# Assorted types
AddType text/cache-manifest appcache manifest
AddType text/x-component htc
AddType application/xml rss atom xml rdf
AddType application/x-chrome-extension crx
AddType application/x-xpinstall xpi
AddType application/octet-stream safariextz
AddType application/x-web-app-manifest+json webapp
AddType text/x-vcard vcf
AddType application/x-shockwave-flash swf
AddType text/vtt vtt
</IfModule>
# ----------------------------------------------------------------------
# Gzip compression
# ----------------------------------------------------------------------
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
<IfModule mod_deflate.c>
# force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
##(())
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
# compress all output labeled with one of the following MIME-types
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE application/atom+xml \
application/javascript \
application/json \
application/rss+xml \
application/vnd.ms-fontobject \
application/x-font-ttf \
application/xhtml+xml \
application/xml \
font/opentype \
image/svg+xml \
image/x-icon \
text/css \
text/html \
text/plain \
text/x-component \
text/xml
</IfModule>
</IfModule>
# ----------------------------------------------------------------------
# Expires / ETAG
# ----------------------------------------------------------------------
<IfModule mod_expires.c>
ExpiresActive on
# Perhaps better to whitelist expires rules? Perhaps.
ExpiresDefault "access plus 1 month"
# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Your document html
ExpiresByType text/html "access plus 0 seconds"
# Data
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType application/json "access plus 0 seconds"
# Favicon (cannot be renamed)
ExpiresByType image/x-icon "access plus 1 week"
# Media: images, video, audio
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# HTC files (css3pie)
ExpiresByType text/x-component "access plus 1 month"
# Webfonts
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
# CSS and JavaScript
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
</IfModule>
# Disable browsers from being able to validate files, to improve speed
Header unset ETag
FileETag None
# ----------------------------------------------------------------------
# Rewrite Engine
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
Options +FollowSymlinks
# Options +SymLinksIfOwnerMatch
RewriteEngine On
RewriteBase /
# upgrade 80 to 443
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]
Header always set Content-Security-Policy "upgrade-insecure-requests;"
# rewrite index.php to /, to avoid duplicate content issues
RewriteCond %{THE_REQUEST} ^.*/index\.php
RewriteRule ^(.*)index.php$ http://%{HTTP_HOST}/$1 [R=301,L]
# block trace
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
# block hidden folders and files
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
# cache busting for no builds
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L]
RewriteEngine Off
</IfModule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment