2021-03-03 17:11:59 +01:00
|
|
|
RewriteEngine On
|
|
|
|
|
|
|
|
# Redirect to no-WWW
|
|
|
|
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
|
|
|
|
RewriteRule ^(.*)$ http://%1%{REQUEST_URI} [R=301,QSA,NC,L]
|
2019-11-07 19:26:33 +01:00
|
|
|
|
|
|
|
# Redirect to WWW
|
2019-10-20 03:00:05 +02:00
|
|
|
#RewriteCond %{HTTP_HOST} !^www\. [NC]
|
|
|
|
#RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|
|
|
|
|
2021-03-03 17:11:59 +01:00
|
|
|
# Redirect to HTTPS
|
2021-08-02 22:17:27 +02:00
|
|
|
RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
|
|
|
|
RewriteCond %{HTTPS} off [OR]
|
|
|
|
RewriteCond %{SERVER_PORT} 80 [NC]
|
2021-03-03 17:11:59 +01:00
|
|
|
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
|
|
|
|
|
2019-11-07 19:26:33 +01:00
|
|
|
# SPDY protocol
|
|
|
|
#Header add Alternate-Protocol "443:npn-spdy/3"
|
|
|
|
|
|
|
|
# Secure cookies
|
|
|
|
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
|
|
|
|
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
|
|
|
|
# Apache < 2.2.4
|
|
|
|
# Header set Set-Cookie HttpOnly;Secure
|
|
|
|
|
|
|
|
# Submit domain to https://hstspreload.org/
|
2021-03-03 17:11:59 +01:00
|
|
|
Header add Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
|
2019-11-07 19:26:33 +01:00
|
|
|
|
|
|
|
# XSS-protection
|
|
|
|
#Header add X-Frame-Options "SAMEORIGIN"
|
|
|
|
#Header add X-Content-Type-Options "nosniff"
|
|
|
|
#Header add X-XSS-Protection "1; mode=block"
|
|
|
|
#Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.getclicky.com *.placehold.it *.ytimg.com *.googlevideo.com *.youtube.com *.youtu.be *.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com yastatic.net *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com *.windguru.cz; child-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.ytimg.com *.googlevideo.com *.youtu.be *.youtube.com assets.zendesk.com tautt.zendesk.com *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com; object-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.googlevideo.com *.youtube.com *.youtu.be *.cloudflare.com *.ytimg.com *.ggpht.com *.doubleclick.net *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com"
|
|
|
|
|
|
|
|
|
|
|
|
# Hide software headers
|
|
|
|
Header unset x-powered-by
|
|
|
|
ServerSignature Off
|
|
|
|
#ServerTokens Prod
|
|
|
|
|
|
|
|
<IfModule php5_module>
|
|
|
|
php_flag expose_php Off
|
|
|
|
</IfModule>
|
|
|
|
|
|
|
|
<IfModule lsapi_module>
|
|
|
|
php_flag expose_php Off
|
|
|
|
</IfModule>
|
|
|
|
|
2018-03-24 11:45:31 +01:00
|
|
|
### SILVERSTRIPE START ###
|
|
|
|
|
|
|
|
# Deny access to templates (but allow from localhost)
|
|
|
|
<Files *.ss>
|
|
|
|
Order deny,allow
|
|
|
|
Deny from all
|
|
|
|
Allow from 127.0.0.1
|
|
|
|
</Files>
|
|
|
|
|
|
|
|
# Deny access to IIS configuration
|
|
|
|
<Files web.config>
|
|
|
|
Order deny,allow
|
|
|
|
Deny from all
|
|
|
|
</Files>
|
|
|
|
|
|
|
|
# Deny access to YAML configuration files which might include sensitive information
|
|
|
|
<Files ~ "\.ya?ml$">
|
|
|
|
Order allow,deny
|
|
|
|
Deny from all
|
|
|
|
</Files>
|
|
|
|
|
|
|
|
# Route errors to static pages automatically generated by SilverStripe
|
|
|
|
ErrorDocument 404 /assets/error-404.html
|
|
|
|
ErrorDocument 500 /assets/error-500.html
|
|
|
|
|
|
|
|
<IfModule mod_rewrite.c>
|
|
|
|
|
|
|
|
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
|
|
|
|
<IfModule mod_dir.c>
|
|
|
|
DirectoryIndex disabled
|
|
|
|
DirectorySlash On
|
|
|
|
</IfModule>
|
|
|
|
|
|
|
|
SetEnv HTTP_MOD_REWRITE On
|
|
|
|
RewriteEngine On
|
|
|
|
|
|
|
|
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
|
|
|
|
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
|
|
|
|
|
|
|
|
# Deny access to potentially sensitive files and folders
|
|
|
|
RewriteRule ^vendor(/|$) - [F,L,NC]
|
|
|
|
RewriteRule ^\.env - [F,L,NC]
|
|
|
|
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
|
|
|
|
RewriteRule composer\.(json|lock) - [F,L,NC]
|
|
|
|
RewriteRule (error|silverstripe|debug)\.log - [F,L,NC]
|
|
|
|
|
|
|
|
# Process through SilverStripe if no file with the requested name exists.
|
|
|
|
# Pass through the original path as a query parameter, and retain the existing parameters.
|
|
|
|
# Try finding framework in the vendor folder first
|
|
|
|
RewriteCond %{REQUEST_URI} ^(.*)$
|
|
|
|
RewriteCond %{REQUEST_FILENAME} !-f
|
|
|
|
RewriteRule .* index.php
|
|
|
|
</IfModule>
|
|
|
|
### SILVERSTRIPE END ###
|