Last active
August 29, 2015 14:16
-
-
Save renesansz/a2ce0e1df52b08fda666 to your computer and use it in GitHub Desktop.
.htaccess w/ File Access [From HTML5 Boilerplate]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ---------------------------------------------------------------------- | |
# | File access | | |
# ---------------------------------------------------------------------- | |
# Block access to directories without a default document. | |
# | |
# You should leave the following uncommented, as you shouldn't allow | |
# anyone to surf through every directory on your server (which may | |
# includes rather private places such as the CMS's directories). | |
<IfModule mod_autoindex.c> | |
Options -Indexes | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Block access to all hidden files and directories with the exception of | |
# the visible content from within the `/.well-known/` hidden directory. | |
# | |
# These types of files usually contain user preferences or the preserved | |
# state of an utility, and can include rather private places like, for | |
# example, the `.git` or `.svn` directories. | |
# | |
# The `/.well-known/` directory represents the standard (RFC 5785) path | |
# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, | |
# `/.well-known/keybase.txt`), and therefore, access to its visible | |
# content should not be blocked. | |
# | |
# https://www.mnot.net/blog/2010/04/07/well-known | |
# https://tools.ietf.org/html/rfc5785 | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] | |
RewriteCond %{SCRIPT_FILENAME} -d [OR] | |
RewriteCond %{SCRIPT_FILENAME} -f | |
RewriteRule "(^|/)\." - [F] | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Block access to files that can expose sensitive information. | |
# | |
# By default, block access to backup and source files that may be | |
# left by some text editors and can pose a security risk when anyone | |
# has access to them. | |
# | |
# http://feross.org/cmsploit/ | |
# | |
# (!) Update the `<FilesMatch>` regular expression from below to | |
# include any files that might end up on your production server and | |
# can expose sensitive information about your website. These files may | |
# include: configuration files, files that contain metadata about the | |
# project (e.g.: project dependencies), build scripts, etc.. | |
<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$"> | |
# Apache < 2.3 | |
<IfModule !mod_authz_core.c> | |
Order allow,deny | |
Deny from all | |
Satisfy All | |
</IfModule> | |
# Apache ≥ 2.3 | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
</FilesMatch> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment