|
| 1 | + |
| 2 | +# ############################################################################## |
| 3 | +# # SECURITY # |
| 4 | +# ############################################################################## |
| 5 | + |
| 6 | +# ------------------------------------------------------------------------------ |
| 7 | +# | File access | |
| 8 | +# ------------------------------------------------------------------------------ |
| 9 | + |
| 10 | +# Block access to directories without a default document. |
| 11 | +# |
| 12 | +# You should leave the following uncommented, as you shouldn't allow |
| 13 | +# anyone to surf through every directory on your server (which may |
| 14 | +# includes rather private places such as the CMS's directories). |
| 15 | + |
| 16 | +<IfModule mod_autoindex.c> |
| 17 | + Options -Indexes |
| 18 | +</IfModule> |
| 19 | + |
| 20 | +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 21 | + |
| 22 | +# Block access to all hidden files and directories with the exception of |
| 23 | +# the visible content from within the `/.well-known/` hidden directory. |
| 24 | +# |
| 25 | +# These types of files usually contain user preferences or the preserved |
| 26 | +# state of an utility, and can include rather private places like, for |
| 27 | +# example, the `.git` or `.svn` directories. |
| 28 | +# |
| 29 | +# The `/.well-known/` directory represents the standard (RFC 5785) path |
| 30 | +# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, |
| 31 | +# `/.well-known/keybase.txt`), and therefore, access to its visible |
| 32 | +# content should not be blocked. |
| 33 | +# |
| 34 | +# https://www.mnot.net/blog/2010/04/07/well-known |
| 35 | +# https://tools.ietf.org/html/rfc5785 |
| 36 | + |
| 37 | +<IfModule mod_rewrite.c> |
| 38 | + RewriteEngine On |
| 39 | + RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] |
| 40 | + RewriteCond %{SCRIPT_FILENAME} -d [OR] |
| 41 | + RewriteCond %{SCRIPT_FILENAME} -f |
| 42 | + RewriteRule "(^|/)\." - [F] |
| 43 | +</IfModule> |
| 44 | + |
| 45 | +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 46 | + |
| 47 | +# Block access to files that can expose sensitive information. |
| 48 | +# |
| 49 | +# By default, block access to backup and source files that may be |
| 50 | +# left by some text editors and can pose a security risk when anyone |
| 51 | +# has access to them. |
| 52 | +# |
| 53 | +# http://feross.org/cmsploit/ |
| 54 | +# |
| 55 | +# (!) Update the `<FilesMatch>` regular expression from below to |
| 56 | +# include any files that might end up on your production server and |
| 57 | +# can expose sensitive information about your website. These files may |
| 58 | +# include: configuration files, files that contain metadata about the |
| 59 | +# project (e.g.: project dependencies), build scripts, etc.. |
| 60 | + |
| 61 | +<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$"> |
| 62 | + |
| 63 | + # Apache < 2.3 |
| 64 | + <IfModule !mod_authz_core.c> |
| 65 | + Order allow,deny |
| 66 | + Deny from all |
| 67 | + Satisfy All |
| 68 | + </IfModule> |
| 69 | + |
| 70 | + # Apache ≥ 2.3 |
| 71 | + <IfModule mod_authz_core.c> |
| 72 | + Require all denied |
| 73 | + </IfModule> |
| 74 | + |
| 75 | +</FilesMatch> |
| 76 | + |
| 77 | +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 78 | + |
| 79 | +# Block access to README.md. |
| 80 | + |
| 81 | +<Files "README.md"> |
| 82 | + |
| 83 | + # Apache < 2.3 |
| 84 | + <IfModule !mod_authz_core.c> |
| 85 | + Order allow,deny |
| 86 | + Deny from all |
| 87 | + Satisfy All |
| 88 | + </IfModule> |
| 89 | + |
| 90 | + # Apache ≥ 2.3 |
| 91 | + <IfModule mod_authz_core.c> |
| 92 | + Require all denied |
| 93 | + </IfModule> |
| 94 | + |
| 95 | +</Files> |
| 96 | + |
| 97 | + |
| 98 | +# ------------------------------------------------------------------------------ |
| 99 | +# | Server-side technology information | |
| 100 | +# ------------------------------------------------------------------------------ |
| 101 | + |
| 102 | +# Remove the `X-Powered-By` response header that: |
| 103 | +# |
| 104 | +# * is set by some frameworks and server-side languages |
| 105 | +# (e.g.: ASP.NET, PHP), and its value contains information |
| 106 | +# about them (e.g.: their name, version number) |
| 107 | +# |
| 108 | +# * doesn't provide any value as far as users are concern, |
| 109 | +# and in some cases, the information provided by it can |
| 110 | +# be used by attackers |
| 111 | +# |
| 112 | +# (!) If you can, you should disable the `X-Powered-By` header from the |
| 113 | +# language / framework level (e.g.: for PHP, you can do that by setting |
| 114 | +# `expose_php = off` in `php.ini`) |
| 115 | +# |
| 116 | +# https://php.net/manual/en/ini.core.php#ini.expose-php |
| 117 | + |
| 118 | +<IfModule mod_headers.c> |
| 119 | + Header unset X-Powered-By |
| 120 | +</IfModule> |
| 121 | + |
| 122 | +# ------------------------------------------------------------------------------ |
| 123 | +# | Server software information | |
| 124 | +# ------------------------------------------------------------------------------ |
| 125 | + |
| 126 | +# Prevent Apache from adding a trailing footer line containing |
| 127 | +# information about the server to the server-generated documents |
| 128 | +# (e.g.: error messages, directory listings, etc.) |
| 129 | +# |
| 130 | +# https://httpd.apache.org/docs/current/mod/core.html#serversignature |
| 131 | + |
| 132 | +ServerSignature Off |
0 commit comments