Created
January 16, 2017 14:52
-
-
Save verschuur/da3430bcade3359d9a03d4fcdd1867f6 to your computer and use it in GitHub Desktop.
Handy dandy complete .htaccess
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ---------------------------------------------------------------------- | |
# | Basic rewrite settings | |
# ---------------------------------------------------------------------- | |
<IfModule mod_rewrite.c> | |
<IfModule mod_negotiation.c> | |
Options -MultiViews | |
</IfModule> | |
RewriteEngine On | |
# Redirect Trailing Slashes... | |
# RewriteRule ^(.*)/$ /$1 [L,R=301] | |
# Force redirect from HTTP to HTTPS (for specific hosts if needed) | |
# RewriteCond %{HTTPS} off | |
# RewriteCond %{HTTP_HOST} domain.\.com$ [OR] # copy this line if you want to match multiple domains | |
# RewriteCond %{HTTP_HOST} anotherdomain\.com$ [NC] # when using redirect, make sure this is the last domain match and it ends with [NC] | |
# RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] | |
# Handle Front Controller (i.e. routing everything to a single file, except for existing directories and files) | |
# RewriteCond %{REQUEST_FILENAME} !-d | |
# RewriteCond %{REQUEST_FILENAME} !-f | |
# RewriteRule ^ index.php [L] | |
</IfModule> | |
# ###################################################################### | |
# | Settings taken from HTML5 boilerplate (https://github.com/h5bp/server-configs-apache/blob/master/dist/.htaccess) | |
# ###################################################################### | |
# ---------------------------------------------------------------------- | |
# | Server software information | | |
# ---------------------------------------------------------------------- | |
# Prevent Apache from adding a trailing footer line containing | |
# information about the server to the server-generated documents | |
# (e.g.: error messages, directory listings, etc.) | |
# | |
# https://httpd.apache.org/docs/current/mod/core.html#serversignature | |
ServerSignature Off | |
# ###################################################################### | |
# # MEDIA TYPES AND CHARACTER ENCODINGS # | |
# ###################################################################### | |
# Serve resources with the proper media types (f.k.a. MIME types). | |
# | |
# https://www.iana.org/assignments/media-types/media-types.xhtml | |
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype | |
<IfModule mod_mime.c> | |
# Data interchange | |
AddType application/atom+xml atom | |
AddType application/json json map topojson | |
AddType application/ld+json jsonld | |
AddType application/rss+xml rss | |
AddType application/vnd.geo+json geojson | |
AddType application/xml rdf xml | |
# JavaScript | |
# Normalize to standard type. | |
# https://tools.ietf.org/html/rfc4329#section-7.2 | |
AddType application/javascript js | |
# Manifest files | |
AddType application/manifest+json webmanifest | |
AddType application/x-web-app-manifest+json webapp | |
AddType text/cache-manifest appcache | |
# Media files | |
AddType audio/mp4 f4a f4b m4a | |
AddType audio/ogg oga ogg opus | |
AddType image/bmp bmp | |
AddType image/svg+xml svg svgz | |
AddType image/webp webp | |
AddType video/mp4 f4v f4p m4v mp4 | |
AddType video/ogg ogv | |
AddType video/webm webm | |
AddType video/x-flv flv | |
# Serving `.ico` image files with a different media type | |
# prevents Internet Explorer from displaying them as images: | |
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee | |
AddType image/x-icon cur ico | |
# Web fonts | |
AddType application/font-woff woff | |
AddType application/font-woff2 woff2 | |
AddType application/vnd.ms-fontobject eot | |
# Browsers usually ignore the font media types and simply sniff | |
# the bytes to figure out the font type. | |
# https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern | |
# | |
# However, Blink and WebKit based browsers will show a warning | |
# in the console if the following font types are served with any | |
# other media types. | |
AddType application/x-font-ttf ttc ttf | |
AddType font/opentype otf | |
# Other | |
AddType application/octet-stream safariextz | |
AddType application/x-bb-appworld bbaw | |
AddType application/x-chrome-extension crx | |
AddType application/x-opera-extension oex | |
AddType application/x-xpinstall xpi | |
AddType text/vcard vcard vcf | |
AddType text/vnd.rim.location.xloc xloc | |
AddType text/vtt vtt | |
AddType text/x-component htc | |
</IfModule> | |
# ###################################################################### | |
# # SECURITY # | |
# ###################################################################### | |
# ---------------------------------------------------------------------- | |
# | Clickjacking | | |
# ---------------------------------------------------------------------- | |
# Protect website against clickjacking. | |
# | |
# The example below sends the `X-Frame-Options` response header with | |
# the value `DENY`, informing browsers not to display the content of | |
# the web page in any frame. | |
# | |
# This might not be the best setting for everyone. You should read | |
# about the other two possible values the `X-Frame-Options` header | |
# field can have: `SAMEORIGIN` and `ALLOW-FROM`. | |
# https://tools.ietf.org/html/rfc7034#section-2.1. | |
# | |
# Keep in mind that while you could send the `X-Frame-Options` header | |
# for all of your website’s pages, this has the potential downside that | |
# it forbids even non-malicious framing of your content (e.g.: when | |
# users visit your website using a Google Image Search results page). | |
# | |
# Nonetheless, you should ensure that you send the `X-Frame-Options` | |
# header for all pages that allow a user to make a state changing | |
# operation (e.g: pages that contain one-click purchase links, checkout | |
# or bank-transfer confirmation pages, pages that make permanent | |
# configuration changes, etc.). | |
# | |
# Sending the `X-Frame-Options` header can also protect your website | |
# against more than just clickjacking attacks: | |
# https://cure53.de/xfo-clickjacking.pdf. | |
# | |
# https://tools.ietf.org/html/rfc7034 | |
# http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx | |
# https://www.owasp.org/index.php/Clickjacking | |
# <IfModule mod_headers.c> | |
# Header set X-Frame-Options "DENY" | |
# # `mod_headers` cannot match based on the content-type, however, | |
# # the `X-Frame-Options` response header should be send only for | |
# # HTML documents and not for the other resources. | |
# <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
# Header unset X-Frame-Options | |
# </FilesMatch> | |
# </IfModule> | |
# ---------------------------------------------------------------------- | |
# | File access | | |
# ---------------------------------------------------------------------- | |
# Block access to directories without a default document. | |
# | |
# You should leave the following uncommented, as you shouldn't allow | |
# anyone to surf through every directory on your server (which may | |
# includes rather private places such as the CMS's directories). | |
<IfModule mod_autoindex.c> | |
Options -Indexes | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Reducing MIME type security risks | | |
# ---------------------------------------------------------------------- | |
# Prevent some browsers from MIME-sniffing the response. | |
# | |
# This reduces exposure to drive-by download attacks and cross-origin | |
# data leaks, and should be left uncommented, especially if the server | |
# is serving user-uploaded content or content that could potentially be | |
# treated as executable by the browser. | |
# | |
# http://www.slideshare.net/hasegawayosuke/owasp-hasegawa | |
# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx | |
# https://msdn.microsoft.com/en-us/library/ie/gg622941.aspx | |
# https://mimesniff.spec.whatwg.org/ | |
<IfModule mod_headers.c> | |
Header set X-Content-Type-Options "nosniff" | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Server-side technology information | | |
# ---------------------------------------------------------------------- | |
# Remove the `X-Powered-By` response header that: | |
# | |
# * is set by some frameworks and server-side languages | |
# (e.g.: ASP.NET, PHP), and its value contains information | |
# about them (e.g.: their name, version number) | |
# | |
# * doesn't provide any value to users, contributes to header | |
# bloat, and in some cases, the information it provides can | |
# expose vulnerabilities | |
# | |
# (!) If you can, you should disable the `X-Powered-By` header from the | |
# language / framework level (e.g.: for PHP, you can do that by setting | |
# `expose_php = off` in `php.ini`) | |
# | |
# https://php.net/manual/en/ini.core.php#ini.expose-php | |
<IfModule mod_headers.c> | |
Header unset X-Powered-By | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Compression | | |
# ---------------------------------------------------------------------- | |
<IfModule mod_deflate.c> | |
# Force compression for mangled `Accept-Encoding` request headers | |
# https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
</IfModule> | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Compress all output labeled with one of the following media types. | |
# | |
# (!) For Apache versions below version 2.3.7 you don't need to | |
# enable `mod_filter` and can remove the `<IfModule mod_filter.c>` | |
# and `</IfModule>` lines as `AddOutputFilterByType` is still in | |
# the core directives. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype | |
<IfModule mod_filter.c> | |
AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
"application/javascript" \ | |
"application/json" \ | |
"application/ld+json" \ | |
"application/manifest+json" \ | |
"application/rdf+xml" \ | |
"application/rss+xml" \ | |
"application/schema+json" \ | |
"application/vnd.geo+json" \ | |
"application/vnd.ms-fontobject" \ | |
"application/x-font-ttf" \ | |
"application/x-javascript" \ | |
"application/x-web-app-manifest+json" \ | |
"application/xhtml+xml" \ | |
"application/xml" \ | |
"font/eot" \ | |
"font/opentype" \ | |
"image/bmp" \ | |
"image/svg+xml" \ | |
"image/vnd.microsoft.icon" \ | |
"image/x-icon" \ | |
"text/cache-manifest" \ | |
"text/css" \ | |
"text/html" \ | |
"text/javascript" \ | |
"text/plain" \ | |
"text/vcard" \ | |
"text/vnd.rim.location.xloc" \ | |
"text/vtt" \ | |
"text/x-component" \ | |
"text/x-cross-domain-policy" \ | |
"text/xml" | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Map the following filename extensions to the specified | |
# encoding type in order to make Apache serve the file types | |
# with the appropriate `Content-Encoding` response header | |
# (do note that this will NOT make Apache compress them!). | |
# | |
# If these files types would be served without an appropriate | |
# `Content-Enable` response header, client applications (e.g.: | |
# browsers) wouldn't know that they first need to uncompress | |
# the response, and thus, wouldn't be able to understand the | |
# content. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding | |
<IfModule mod_mime.c> | |
AddEncoding gzip svgz | |
</IfModule> | |
</IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment