silverstripe-webpack/public/htaccess-dist

96 lines
3.9 KiB
Plaintext
Raw Normal View History

2019-11-07 19:26:33 +01:00
# Redirect to HTTPS
#RewriteEngine On
#RewriteCond %{HTTPS} off
#RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Redirect to WWW
#RewriteCond %{HTTP_HOST} !^www\. [NC]
#RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# SPDY protocol
#Header add Alternate-Protocol "443:npn-spdy/3"
# Secure cookies
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
# Apache < 2.2.4
# Header set Set-Cookie HttpOnly;Secure
# Submit domain to https://hstspreload.org/
#Header add Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# XSS-protection
#Header add X-Frame-Options "SAMEORIGIN"
#Header add X-Content-Type-Options "nosniff"
#Header add X-XSS-Protection "1; mode=block"
#Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.getclicky.com *.placehold.it *.ytimg.com *.googlevideo.com *.youtube.com *.youtu.be *.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com yastatic.net *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com *.windguru.cz; child-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.ytimg.com *.googlevideo.com *.youtu.be *.youtube.com assets.zendesk.com tautt.zendesk.com *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com; object-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.googlevideo.com *.youtube.com *.youtu.be *.cloudflare.com *.ytimg.com *.ggpht.com *.doubleclick.net *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com"
# Hide software headers
Header unset x-powered-by
ServerSignature Off
#ServerTokens Prod
<IfModule php5_module>
php_flag expose_php Off
</IfModule>
<IfModule lsapi_module>
php_flag expose_php Off
</IfModule>
### SILVERSTRIPE START ###
# Deny access to templates (but allow from localhost)
<Files *.ss>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Files>
# Deny access to IIS configuration
<Files web.config>
Order deny,allow
Deny from all
</Files>
# Deny access to YAML configuration files which might include sensitive information
<Files ~ "\.ya?ml$">
Order allow,deny
Deny from all
</Files>
# Route errors to static pages automatically generated by SilverStripe
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
<IfModule mod_rewrite.c>
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
<IfModule mod_dir.c>
DirectoryIndex disabled
DirectorySlash On
</IfModule>
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Deny access to potentially sensitive files and folders
RewriteRule ^vendor(/|$) - [F,L,NC]
RewriteRule ^\.env - [F,L,NC]
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
RewriteRule composer\.(json|lock) - [F,L,NC]
RewriteRule (error|silverstripe|debug)\.log - [F,L,NC]
# Process through SilverStripe if no file with the requested name exists.
# Pass through the original path as a query parameter, and retain the existing parameters.
# Try finding framework in the vendor folder first
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php
</IfModule>
### SILVERSTRIPE END ###