Last active
January 8, 2022 18:59
-
-
Save qodeninja/8e8f2c0207ecccab774409ddf0c4377a to your computer and use it in GitHub Desktop.
.htaccess template for when you're doing apache/wp/php stuff
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# By @JAKKVEGA | |
# remove and change the stuff you don't need. These are only | |
# here for reference and not to be used OOB | |
# ---------------------------------------------------------------------- | |
# General | |
# ---------------------------------------------------------------------- | |
# disable the server signature | |
ServerSignature Off | |
# set the default language | |
DefaultLanguage en-US | |
# set the server timezone | |
SetEnv TZ America/Los_Angeles | |
# ---------------------------------------------------------------------- | |
# UTF-8 encoding | |
# ---------------------------------------------------------------------- | |
# Use UTF-8 encoding for anything served text/plain or text/html | |
AddDefaultCharset utf-8 | |
# Force UTF-8 for a number of file formats | |
AddCharset utf-8 .css .js .json .rss .xml | |
# ---------------------------------------------------------------------- | |
# Security | |
# ---------------------------------------------------------------------- | |
# "strong" htaccess protection | |
<Files ~ "^.*\.([Hh][Tt][Aa])"> | |
Order allow,deny | |
Deny from all | |
Satisfy all | |
</Files> | |
# block access to bak and source files | |
# edit this if you need more or less | |
<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$"> | |
Order allow,deny | |
Deny from all | |
Satisfy All | |
</FilesMatch> | |
#! block php execution in certain folders (place in directory) | |
# <Files *.php> | |
# deny from all | |
# </Files> | |
<IfModule mod_headers.c> | |
Header set Cache-Control "no-transform" | |
</IfModule> | |
<IfModule mod_autoindex.c> | |
Options -Indexes | |
</IfModule> | |
<IfModule mod_headers.c> | |
# X-XSS-Protection | |
Header set X-XSS-Protection "1; mode=block" | |
# X-Frame-Options | |
Header set X-Frame-Options "SAMEORIGIN" | |
# X-Content-Type-Options | |
Header set X-Content-Type-Options "nosniff" | |
# Strict-Transport-Security | |
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" | |
# Referrer-Policy | |
Header set Referrer-Policy "same-origin" | |
# Feature-Policy | |
# Header set Feature-Policy "geolocation 'self'; vibrate 'none'" | |
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy | |
# Content-Security-Policy - Examples | |
# Header set Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self' https://code.jquery.com; style-src 'self'" | |
Header set Content-Security-Policy "default-src https:; font-src https: data:; img-src https: data:; script-src https:; style-src https:;" | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# Errors | |
# ---------------------------------------------------------------------- | |
# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the | |
# same name does not exist. | |
# webmasterworld.com/apache/3808792.htm | |
Options -MultiViews | |
# these are just starters. change these as needed | |
ErrorDocument 404 /error.html | |
ErrorDocument 403 /error.html | |
ErrorDocument 401 /error.html | |
ErrorDocument 500 /error.html | |
# ---------------------------------------------------------------------- | |
# CORS | |
# ---------------------------------------------------------------------- | |
# enable cross origin for static media assets | |
# developer.mozilla.org/en/CORS_Enabled_Image | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
# mod_headers, y u no match by Content-Type?! | |
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$"> | |
SetEnvIf Origin ":" IS_CORS | |
Header set Access-Control-Allow-Origin "*" env=IS_CORS | |
</FilesMatch> | |
</IfModule> | |
</IfModule> | |
# allow third party webfonts to CORS | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$"> | |
Header set Access-Control-Allow-Origin "*" | |
</FilesMatch> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# MIME TYES | |
# ---------------------------------------------------------------------- | |
<IfModule mod_mime.c> | |
# JavaScript | |
AddType application/javascript js jsonp | |
AddType application/json json | |
AddType text/css css | |
# Audio | |
AddType audio/ogg oga ogg | |
AddType audio/mp4 m4a f4a f4b | |
# Video | |
AddType video/ogg ogv | |
AddType video/mp4 mp4 m4v f4v f4p | |
AddType video/webm webm | |
AddType video/x-flv flv | |
# SVG | |
# Required for svg webfonts on iPad | |
# twitter.com/FontSquirrel/status/14855840545 | |
AddType image/svg+xml svg svgz | |
AddEncoding gzip svgz | |
AddType application/x-gzip gz gzip | |
AddType application/zip zip | |
AddType application/x-7z-compressed 7z | |
application/x-tar tar | |
# Webfonts | |
AddType application/vnd.ms-fontobject eot | |
AddType application/x-font-ttf ttf ttc | |
AddType font/opentype otf | |
AddType application/x-font-woff woff | |
# Image types | |
AddType image/x-icon ico | |
AddType image/webp webp | |
AddType image/gif gif | |
AddType image/jpeg jpg jpeg jfif | |
AddType image/png png | |
# Assorted types | |
AddType text/cache-manifest appcache manifest | |
AddType text/x-component htc | |
AddType application/xml rss atom xml rdf | |
AddType application/x-chrome-extension crx | |
AddType application/x-xpinstall xpi | |
AddType application/octet-stream safariextz | |
AddType application/x-web-app-manifest+json webapp | |
AddType text/x-vcard vcf | |
AddType application/x-shockwave-flash swf | |
AddType text/vtt vtt | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# Gzip compression | |
# ---------------------------------------------------------------------- | |
<ifModule mod_gzip.c> | |
mod_gzip_on Yes | |
mod_gzip_dechunk Yes | |
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ | |
mod_gzip_item_include handler ^cgi-script$ | |
mod_gzip_item_include mime ^text/.* | |
mod_gzip_item_include mime ^application/x-javascript.* | |
mod_gzip_item_exclude mime ^image/.* | |
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* | |
</ifModule> | |
<IfModule mod_deflate.c> | |
# force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/ | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
##(()) | |
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
</IfModule> | |
</IfModule> | |
# compress all output labeled with one of the following MIME-types | |
<IfModule mod_filter.c> | |
AddOutputFilterByType DEFLATE application/atom+xml \ | |
application/javascript \ | |
application/json \ | |
application/rss+xml \ | |
application/vnd.ms-fontobject \ | |
application/x-font-ttf \ | |
application/xhtml+xml \ | |
application/xml \ | |
font/opentype \ | |
image/svg+xml \ | |
image/x-icon \ | |
text/css \ | |
text/html \ | |
text/plain \ | |
text/x-component \ | |
text/xml | |
</IfModule> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# Expires / ETAG | |
# ---------------------------------------------------------------------- | |
<IfModule mod_expires.c> | |
ExpiresActive on | |
# Perhaps better to whitelist expires rules? Perhaps. | |
ExpiresDefault "access plus 1 month" | |
# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5) | |
ExpiresByType text/cache-manifest "access plus 0 seconds" | |
# Your document html | |
ExpiresByType text/html "access plus 0 seconds" | |
# Data | |
ExpiresByType text/xml "access plus 0 seconds" | |
ExpiresByType application/xml "access plus 0 seconds" | |
ExpiresByType application/json "access plus 0 seconds" | |
# Favicon (cannot be renamed) | |
ExpiresByType image/x-icon "access plus 1 week" | |
# Media: images, video, audio | |
ExpiresByType image/gif "access plus 1 month" | |
ExpiresByType image/png "access plus 1 month" | |
ExpiresByType image/jpeg "access plus 1 month" | |
ExpiresByType video/ogg "access plus 1 month" | |
ExpiresByType audio/ogg "access plus 1 month" | |
ExpiresByType video/mp4 "access plus 1 month" | |
ExpiresByType video/webm "access plus 1 month" | |
# HTC files (css3pie) | |
ExpiresByType text/x-component "access plus 1 month" | |
# Webfonts | |
ExpiresByType application/x-font-ttf "access plus 1 month" | |
ExpiresByType font/opentype "access plus 1 month" | |
ExpiresByType application/x-font-woff "access plus 1 month" | |
ExpiresByType image/svg+xml "access plus 1 month" | |
ExpiresByType application/vnd.ms-fontobject "access plus 1 month" | |
# CSS and JavaScript | |
ExpiresByType text/css "access plus 1 year" | |
ExpiresByType application/javascript "access plus 1 year" | |
</IfModule> | |
# Disable browsers from being able to validate files, to improve speed | |
Header unset ETag | |
FileETag None | |
# ---------------------------------------------------------------------- | |
# Rewrite Engine | |
# ---------------------------------------------------------------------- | |
<IfModule mod_rewrite.c> | |
Options +FollowSymlinks | |
# Options +SymLinksIfOwnerMatch | |
RewriteEngine On | |
RewriteBase / | |
# upgrade 80 to 443 | |
RewriteCond %{HTTPS} !=on | |
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE] | |
Header always set Content-Security-Policy "upgrade-insecure-requests;" | |
# rewrite index.php to /, to avoid duplicate content issues | |
RewriteCond %{THE_REQUEST} ^.*/index\.php | |
RewriteRule ^(.*)index.php$ http://%{HTTP_HOST}/$1 [R=301,L] | |
# block trace | |
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) | |
RewriteRule .* - [F] | |
# block hidden folders and files | |
RewriteCond %{SCRIPT_FILENAME} -d [OR] | |
RewriteCond %{SCRIPT_FILENAME} -f | |
RewriteRule "(^|/)\." - [F] | |
# cache busting for no builds | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteCond %{REQUEST_FILENAME} !-d | |
RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L] | |
RewriteEngine Off | |
</IfModule> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment