Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Snippet of Security Tweaks for the .htaccess.
# Deny access to include files.
<Files ~ "\.inc$">
Order Allow,Deny
Deny from All
</Files>
# Deny access to hidden files.
RedirectMatch 403 /\..*$
# Deny access to folders.
Options +ExecCGI +FollowSymLinks -MultiViews -Indexes
<IfModule mod_headers.c>
# Prevent MIME based attacks.
Header set X-Content-Type-Options "nosniff"
# Disallow iframes of your website on other sites.
Header set X-Frame-Options "sameorigin"
# Cross-Site-Scripting Protection
Header set X-XSS-Protection "1; mode=block"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
# Prevent image hotlinking.
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^(.*)://example.com(.*) [NC]
RewriteCond %{HTTP_REFERER} !^(.*)://(.*).example.com(.*) [NC]
RewriteCond %{HTTP_REFERER} %{REMOTE_ADDR}
RewriteRule \.(jpe?g|png|svg|gif|bmp|js|css)$ - [F,L]
# Enforce HTTPS/SSL.
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.