RewriteEngine On # Redirect to no-WWW RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC] RewriteRule ^(.*)$ http://%1%{REQUEST_URI} [R=301,QSA,NC,L] # Redirect to WWW #RewriteCond %{HTTP_HOST} !^www\. [NC] #RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # Redirect to HTTPS RewriteCond %{HTTP:X-Forwarded-Proto} =http RewriteCond %{HTTPS} off #RewriteCond %{SERVER_PORT} 80 RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # SPDY protocol #Header add Alternate-Protocol "443:npn-spdy/3" # Secure cookies #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure #Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict # Apache < 2.2.4 # Header set Set-Cookie HttpOnly;Secure # Submit domain to https://hstspreload.org/ Header add Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # XSS-protection #Header add X-Frame-Options "SAMEORIGIN" #Header add X-Content-Type-Options "nosniff" #Header add X-XSS-Protection "1; mode=block" #Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.getclicky.com *.placehold.it *.ytimg.com *.googlevideo.com *.youtube.com *.youtu.be *.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com yastatic.net *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com *.windguru.cz; child-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.ytimg.com *.googlevideo.com *.youtu.be *.youtube.com assets.zendesk.com tautt.zendesk.com *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com; object-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.googlevideo.com *.youtube.com *.youtu.be *.cloudflare.com *.ytimg.com *.ggpht.com *.doubleclick.net *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com" # Hide software headers Header unset x-powered-by ServerSignature Off #ServerTokens Prod php_flag expose_php Off php_flag expose_php Off ### SILVERSTRIPE START ### # Deny access to templates (but allow from localhost) Order deny,allow Deny from all Allow from 127.0.0.1 # Deny access to IIS configuration Order deny,allow Deny from all # Deny access to YAML configuration files which might include sensitive information Order allow,deny Deny from all # Route errors to static pages automatically generated by SilverStripe ErrorDocument 404 /assets/error-404.html ErrorDocument 500 /assets/error-500.html # Turn off index.php handling requests to the homepage fixes issue in apache >=2.4 DirectoryIndex disabled DirectorySlash On SetEnv HTTP_MOD_REWRITE On RewriteEngine On # Enable HTTP Basic authentication workaround for PHP running in CGI mode RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # Deny access to potentially sensitive files and folders RewriteRule ^vendor(/|$) - [F,L,NC] RewriteRule ^\.env - [F,L,NC] RewriteRule silverstripe-cache(/|$) - [F,L,NC] RewriteRule composer\.(json|lock) - [F,L,NC] RewriteRule (error|silverstripe|debug)\.log - [F,L,NC] # Process through SilverStripe if no file with the requested name exists. # Pass through the original path as a query parameter, and retain the existing parameters. # Try finding framework in the vendor folder first RewriteCond %{REQUEST_URI} ^(.*)$ RewriteCond %{REQUEST_FILENAME} !-f RewriteRule .* index.php ### SILVERSTRIPE END ###