htaccess fun

########################################################################### ######### NOTE ############################################################ ########################################################################### # # 1. You should have the following modules enabled (outside of the obvious # addition of 'AllowOverride All' in your conf file - no allowoverride? no # working htaccess - it's ignored otherwise): # # mod_headers # mod_deflate # mod_rewrite # mod_expires # # If you get a 500 error or blank page, comment out each area one at a # time, upload and refresh until you find out what caused it. # # .. Alternatively you can check your apache error log. # ########################################################################### ########################################################################### <IfModule mod_headers.c> # ----- https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports # # You really need to have this defined and use it. # ... Basically, it can report/email/notify you when # when your page is modified by injected scripts etc.. # # ---- DON'T ENABLE THESE UNTIL YOU TEST - use : Content-Security-Policy-Report-Only: default-src self; report-uri /csp-hotline.php # Header unset Content-Security-Policy # Header add Content-Security-Policy "default-src self; report-uri /csp-hotline.php" # Header unset X-Content-Security-Policy # Header add X-Content-Security-Policy "default-src self; report-uri /csp-hotline.php" # Header unset X-WebKit-CSP # Header add X-WebKit-CSP "default-src self; report-uri /csp-hotline.php" # # ... if you're so inclined: Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "DENY" Header merge Cache-Control "no-transform" Header set Strict-Transport-Security "max-age=631138519; includeSubDomains" # # `mod_headers` cannot match based on the content-type, however, # the `X-XSS-Protection` response header should be send only for # HTML documents and not for the other resources. Header set X-XSS-Protection "1; mode=block" # so we set and only unset if.... <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$"> Header unset X-XSS-Protection </FilesMatch> # By removing the ETag header, you disable caches and browsers from being able to validate files, # so they are forced to rely on your Cache-Control and Expires header. # [Source](http://www.askapache.com/htaccess/apache-speed-etags.html) Header unset ETag # Allow cross domain fonts <FilesMatch "\.(eot|otf|ttc|ttf|woff|woff2)$"> Header set Access-Control-Allow-Origin "*" </FilesMatch> # Force compression for mangled headers SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((deflate|gzip)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "deflate" env=HAVE_Accept-Encoding </IfModule> <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 month" # CSS ExpiresByType text/css "access plus 1 year" # Data interchange ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" # Favicon (cannot be renamed!) ExpiresByType image/x-icon "access plus 1 week" # HTML components (HTCs) ExpiresByType text/x-component "access plus 1 month" # HTML ExpiresByType text/html "access plus 0 seconds" # JavaScript ExpiresByType application/javascript "access plus 1 year" # Manifest files ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" ExpiresByType text/cache-manifest "access plus 0 seconds" # Media ExpiresByType audio/ogg "access plus 1 month" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType video/mp4 "access plus 1 month" ExpiresByType video/ogg "access plus 1 month" ExpiresByType video/webm "access plus 1 month" # Web feeds ExpiresByType application/atom+xml "access plus 1 hour" ExpiresByType application/rss+xml "access plus 1 hour" # Web fonts ExpiresByType application/font-woff2 "access plus 1 month" ExpiresByType application/font-woff "access plus 1 month" ExpiresByType application/vnd.ms-fontobject "access plus 1 month" ExpiresByType application/x-font-ttf "access plus 1 month" ExpiresByType font/opentype "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month" </IfModule> <IfModule mod_rewite.c> RewriteEngine On # NO IMAGE HOTLINKS!! RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?(foobar|yourdomain).com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L] # RewriteBase for Production without using PHP RewriteCond %{HTTP_HOST} !^localhost$ [NC] RewriteRule . - [E=REWRITEBASE:/] # RewriteBase for Development # -- ALLOWS copying of htaccess back and forth without worrying about different rewrite bases and sub directories RewriteCond %{HTTP_HOST} ^localhost$ [NC] RewriteRule . - [E=REWRITEBASE:/folder/] # Basic kinda generic rewrites RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^.]+).php$ %{ENV:REWRITEBASE}view_page.php?name=$1 [T=application/x-httpd-php] </IfModule> <IfModule mod_mime.c> ############# # TYPES FIX # ############# AddType text/css .css AddType text/javascript .js </IfModule> <IfModule mod_deflate.c> #################### # GZIP COMPRESSION # #################### SetOutputFilter DEFLATE AddOutputFilterByType DEFLATE text/html text/css text/plain text/xml text/javascript application/x-javascript application/x-httpd-php BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip Header append Vary User-Agent env=!dont-vary </IfModule>