htaccess fun

########################################################################### ######### NOTE ############################################################ ########################################################################### # # 1. You should have the following modules enabled (outside of the obvious # addition of 'AllowOverride All' in your conf file - no allowoverride? no # working htaccess - it's ignored otherwise): # # mod_headers # mod_deflate # mod_rewrite # mod_expires # # If you get a 500 error or blank page, comment out each area one at a # time, upload and refresh until you find out what caused it. # # .. Alternatively you can check your apache error log. # ########################################################################### ########################################################################### <IfModule mod_headers.c> # ----- https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports # # You really need to have this defined and use it. # ... Basically, it can report/email/notify you when # when your page is modified by injected scripts etc.. # # ---- DON'T ENABLE THESE UNTIL YOU TEST - use : Content-Security-Policy-Report-Only: default-src self; report-uri /csp-hotline.php # Header unset Content-Security-Policy # Header add Content-Security-Policy "default-src self; report-uri /csp-hotline.php" # Header unset X-Content-Security-Policy # Header add X-Content-Security-Policy "default-src self; report-uri /csp-hotline.php" # Header unset X-WebKit-CSP # Header add X-WebKit-CSP "default-src self; report-uri /csp-hotline.php" # # ... if you're so inclined: Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "DENY" Header merge Cache-Control "no-transform" Header set Strict-Transport-Security "max-age=631138519; includeSubDomains" # # `mod_headers` cannot match based on the content-type, however, # the `X-XSS-Protection` response header should be send only for # HTML documents and not for the other resources. Header set X-XSS-Protection "1; mode=block" # so we set and only unset if.... <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$"> Header unset X-XSS-Protection </FilesMatch> # By removing the ETag header, you disable caches and browsers from being able to validate files, # so they are forced to rely on your Cache-Control and Expires header. # [Source](http://www.askapache.com/htaccess/apache-speed-etags.html) Header unset ETag # Allow cross domain fonts <FilesMatch "\.(eot|otf|ttc|ttf|woff|woff2)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch> # Force compression for mangled headers SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((deflate|gzip)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "deflate" env=HAVE_Accept-Encoding </IfModule> <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 month" # CSS ExpiresByType text/css "access plus 1 year" # Data interchange ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" # Favicon (cannot be renamed!) ExpiresByType image/x-icon "access plus 1 week" # HTML components (HTCs) ExpiresByType text/x-component "access plus 1 month" # HTML ExpiresByType text/html "access plus 0 seconds" # JavaScript ExpiresByType application/javascript "access plus 1 year" # Manifest files ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" ExpiresByType text/cache-manifest "access plus 0 seconds" # Media ExpiresByType audio/ogg "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType video/mp4 "access plus 1 month" ExpiresByType video/ogg "access plus 1 month" ExpiresByType video/webm "access plus 1 month" # Web feeds ExpiresByType application/atom+xml "access plus 1 hour" ExpiresByType application/rss+xml "access plus 1 hour" # Web fonts ExpiresByType application/font-woff2 "access plus 1 month" ExpiresByType application/font-woff "access plus 1 month" ExpiresByType application/vnd.ms-fontobject "access plus 1 month" ExpiresByType application/x-font-ttf "access plus 1 month" ExpiresByType font/opentype "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month" </IfModule> <IfModule mod_rewite.c> RewriteEngine On # NO IMAGE HOTLINKS!! RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?(foobar|yourdomain).com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L] # RewriteBase for Production without using PHP RewriteCond %{HTTP_HOST} !^localhost$ [NC] RewriteRule . - [E=REWRITEBASE:/] # RewriteBase for Development # -- ALLOWS copying of htaccess back and forth without worrying about different rewrite bases and sub directories RewriteCond %{HTTP_HOST} ^localhost$ [NC] RewriteRule . - [E=REWRITEBASE:/folder/] # Basic kinda generic rewrites RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^.]+).php$ %{ENV:REWRITEBASE}view_page.php?name=$1 [T=application/x-httpd-php] </IfModule> <IfModule mod_mime.c> ############# # TYPES FIX # ############# AddType text/css .css AddType text/javascript .js </IfModule> <IfModule mod_deflate.c> #################### # GZIP COMPRESSION # #################### SetOutputFilter DEFLATE AddOutputFilterByType DEFLATE text/html text/css text/plain text/xml text/javascript application/x-javascript application/x-httpd-php BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip Header append Vary User-Agent env=!dont-vary </IfModule>
Should be in conf file for speed reasons. -- .htaccess files are great for people with shared hosting, but it's incredibly slower than if you add these to your vhost.conf file, or any other apache.conf you include.

Be the first to comment

You can use [html][/html], [css][/css], [php][/php] and more to embed the code. Urls are automatically hyperlinked. Line breaks and paragraphs are automatically generated.