forked from punbb/punbb
-
Notifications
You must be signed in to change notification settings - Fork 5
/
.htaccess.dist
103 lines (78 loc) · 4.46 KB
/
.htaccess.dist
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# BEGIN PunBB
# ----------------------------------------------------------------------
# Start rewrite engine
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
# MultiViews interfers with proper rewriting
Options -MultiViews
RewriteEngine On
# Uncomment and properly set the RewriteBase if the rewrite rules are not working properly
#RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . rewrite.php [L]
</IfModule>
# ----------------------------------------------------------------------
# Better website experience for IE users
# ----------------------------------------------------------------------
# Force the latest IE version, in various cases when it may fall back to IE7 mode
# github.com/rails/rails/commit/123eb25#commitcomment-118920
# Use ChromeFrame if it's installed for a better experience for the poor IE folk
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
BrowserMatch MSIE ie
Header set X-UA-Compatible "IE=Edge,chrome=1" env=ie
</IfModule>
</IfModule>
<IfModule mod_headers.c>
# Because X-UA-Compatible isn't sent to non-IE (to save header bytes),
# We need to inform proxies that content changes based on UA
Header append Vary User-Agent
# Cache control is set only if mod_headers is enabled, so that's unncessary to declare
</IfModule>
# ----------------------------------------------------------------------
# UTF-8 encoding
# ----------------------------------------------------------------------
# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset utf-8
# Force UTF-8 for a number of file formats
AddCharset utf-8 .html .css .js .xml .json .rss
# ----------------------------------------------------------------------
# A little more security
# ----------------------------------------------------------------------
# Do we want to advertise the exact version number of Apache we're running?
# Probably not.
## This can only be enabled if used in httpd.conf - It will not work in .htaccess
# ServerTokens Prod
# "-Indexes" will have Apache block users from browsing folders without a default document
# Usually you should leave this activated, because you shouldn't allow everybody to surf through
# every folder on your server (which includes rather private places like CMS system folders).
<IfModule mod_autoindex.c>
Options -Indexes
</IfModule>
# END PunBB
# START Visman
# https://punbb.informer.com/forums/topic/30841/add-a-little-bit-of-security/
<ifModule mod_headers.c>
# Set security headers if missing.
# (This Content-Security-Policy makes almost no sense (there are many inline scripts and styles on the forum, frames from media sites are allowed).)
#
### Chances are, you will have to customize the permissions for your forum individually. ###
### If your Apache version is lower than 2.4.10 then remove all "expr = -z% {resp: ...}" ###
#
Header always set Content-Security-Policy "object-src 'none';frame-ancestors 'none';base-uri 'none';form-action 'self'" "expr=-z %{resp:Content-Security-Policy}"
Header always set Feature-Policy "accelerometer 'none';ambient-light-sensor 'none';autoplay 'none';battery 'none';camera 'none';document-domain 'self';fullscreen 'self';geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none';sync-xhr 'self';usb 'none'" "expr=-z %{resp:Feature-Policy}"
Header always set Referrer-Policy "origin-when-cross-origin" "expr=-z %{resp:Referrer-Policy}"
# Header set Strict-Transport-Security "max-age=31536000" "expr=-z %{resp:Strict-Transport-Security}" # for https only site
Header always set X-Content-Type-Options "nosniff" "expr=-z %{resp:X-Content-Type-Options}"
Header always set X-Frame-Options "DENY" "expr=-z %{resp:X-Frame-Options}"
Header always set X-XSS-Protection "1; mode=block" "expr=-z %{resp:X-XSS-Protection}"
Header always set Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),document-domain=(self),fullscreen=(self),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),sync-xhr=(self),usb=()" "expr=-z %{resp:Permissions-Policy}"
# Remove headers containing php information
Header unset X-Powered-By
Header always unset X-Powered-By
</ifModule>
# Hiding information about the system
ServerSignature Off
#ServerTokens ProductOnly # Use only in server config, do not use in .htaccess
# END Visman