This repository has been archived by the owner on Dec 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
htaccess.live
104 lines (90 loc) · 5.21 KB
/
htaccess.live
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
##
# @package Joomla
# @copyright Copyright (C) 2005 - 2020 Open Source Matters. All rights reserved.
# @license GNU General Public License version 2 or later; see LICENSE.txt
##
##
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!
#
# The line 'Options +FollowSymLinks' may cause problems with some server configurations.
# It is required for the use of Apache mod_rewrite, but it may have already been set by
# your server administrator in a way that disallows changing it in this .htaccess file.
# If using it causes your site to produce an error, comment it out (add # to the
# beginning of the line), reload your site in your browser and test your sef urls. If
# they work, then it has been set by your server administrator and you do not need to
# set it here.
##
## No directory listings
<IfModule autoindex>
IndexIgnore *
</IfModule>
## Suppress mime type detection in browsers for unknown types
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
## Can be commented out if causes errors, see notes above.
Options +FollowSymlinks
Options -Indexes
## Mod_rewrite in use.
RewriteEngine On
## Begin - Rewrite rules to block out some common exploits.
# If you experience problems on your site then comment out the operations listed
# below by adding a # to the beginning of the line.
# This attempts to block the most common type of exploit `attempts` on Joomla!
#
# Block any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Rewrite rules to block out some common exploits.
## Begin - Custom redirects
#
# If you need to redirect some pages, or set a canonical non-www to
# www redirect (or vice versa), place that code here. Ensure those
# redirects use the correct RewriteRule syntax and the [R=301,L] flags.
#
## End - Custom redirects
##
# Uncomment the following line if your webserver's URL
# is not directly related to physical file paths.
# Update Your Joomla! Directory (just / for root).
##
# RewriteBase /
## Begin - Joomla! core SEF Section.
#
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
#
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
#
## End - Joomla! core SEF Section.
##################### Security Header #####################
<IfModule mod_headers.c>
# X-XSS-Protection
Header always set X-XSS-Protection "1; mode=block"
# X-Frame-Options
Header always set X-Frame-Options SAMEORIGIN
# X-Content-Type nosniff
Header always set X-Content-Type-Options nosniff
# Referrer-Policy
Header always set Referrer-Policy "no-referrer-when-downgrade"
# Strict-Transport-Security
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Content-Security-Policy
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://*.twitter.com https://*.facebook.com https://*.facebook.net https://*.facebook.net https://*.google-analytics.com https://*.googletagmanager.com https://*.googleapis.com https://*.gstatic.com https://*.google.com https://*.joomla.org https://*.pingdom.net https://*.doubleclick.net https://*.googleapis.com https://cdn.jsdelivr.net https://*.buysellads.com https://*.algolia.net https://*.algolianet.com https://*.jwpcdn.com https://*.echosign.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://*.joomla.org https://fonts.googleapis.com https://netdna.bootstrapcdn.com; connect-src 'self' https://*.joomla.org https://*.pingdom.net https://*.google-analytics.com https://*.doubleclick.net https://*.algolia.net https://*.algolianet.com; frame-src 'self' https://*.twitter.com https://*.google.com https://www.googletagmanager.com https://www.youtube.com https://cdn.adfront.org https://*.facebook.com https://*.vimeo.com https://*.echosign.com; font-src 'self' data: https://fonts.gstatic.com https://*.joomla.org https://netdna.bootstrapcdn.com; img-src 'self' data: https://*.google-analytics.com https://*.googletagmanager.com https://*.joomla.org https://*.pingdom.net https://*.doubleclick.net https://*.gstatic.com https://*.google.com https://*.googleapis.com https://*.buysellads.com https://cdn.adfront.org https://*.twitter.com; frame-ancestors 'self'; report-uri https://community.joomla.org/scripts/csp-reporter.php?source=extensions.joomla.org"
</IfModule>
##################### Security Header