Here’s a list of stuff that I have in my .htaccess files on various websites.
I want to work on my website, but any other visitor should be booted to another website so I can work in peace. Sidenote: It's forever since I last used this, so it might work. Or not. --- # YOUR IP address goes here: RewriteCond %{REMOTE_ADDR} !^000\.000\.000\.000$ # And provides you access to: RewriteCond %{REQUEST_URI} !^https://DOMAIN.TLD$ [NC] # Fine, go have all the media as well RewriteCond %{REQUEST_URI} !\.(jpg|jpeg|png|gif|svg|swf|css|ico|js)$ [NC] # Any other visitor can go visit the following website: RewriteRule .* https://DOMAIN.TLD/ [R=302,L]
# Hey, no viewing access to this file <FilesMatch "^.ht"> Order deny,allow Deny from all </FilesMatch>
# Disable Server Signature ServerSignature Off
# SSL all the things! RewriteCond %{HTTPS} !=on RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
# No WWW RewriteCond %{HTTP_HOST} ^www\.DOMAIN\.TLD$ RewriteRule ^/?$ "https\:\/\/DOMAIN\.TLD\/" [R=301,L]
# Do we like Symlinks? Yeah we do. Options +FollowSymlinks
# No open directories or directory listings. What is this... 1998? Options All -Indexes IndexIgnore *
# Rewrite rules to block out some common exploits. RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule .* index.php [F]
# PHP doohickies php_flag register_globals off php_flag safe_mode off php_flag allow_url_fopen off php_flag display_errors off php_value session.save_path '/tmp' php_value disable_functions "exec,passthru,shell_exec,system,curl_multi_exec,show_source,eval"
# File Injection Protection, or a code-condom. What. RewriteCond %{REQUEST_METHOD} GET RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] RewriteRule .* - [F]
# /proc/self/environ? Go away! RewriteCond %{QUERY_STRING} proc/self/environ [NC,OR]
# Disallow Access To Sensitive Files. Enter your own file names. RewriteRule ^(htaccess.txt|configuration.php(-dist)?|joomla.xml|README.txt|web.config.txt|CONTRIBUTING.md|phpunit.xml.dist|plugin_googlemap2_proxy.php)$ - [F]
# Don't allow any pages to be framed - Defends against CSRF <IfModule mod_headers.c> Header set X-Frame-Options SAMEORIGIN </IfModule>
# Disallow Php Easter Eggs RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule .* index.php [F]
# Libwww-perl Access Block RewriteCond %{HTTP_USER_AGENT} libwww-perl.* RewriteRule .* ? [F,L]
# Uh. I forgot. <IfModule mod_autoindex.c> IndexIgnore * </IfModule>
# NO SNIFFYWIFFY OwO <IfModule mod_headers.c> Header always set X-Content-Type-Options "nosniff" </IfModule>
# NEEDS TESTING # Turn on IE8-IE9 XSS prevention tools #Header set X-XSS-Protection "1; mode=block"
# NEEDS TESTING TOO # Only allow JavaScript from the same domain to be run. # Don't allow inline JavaScript to run. #Header set X-Content-Security-Policy "allow 'self';"
# Example if you don't like Russia and Turkey (Optional A1 is to block anonymous proxies) RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(RU|TR)$ RewriteRule .* https://DOMAIN.TLD/directorywithindexdothtml/ [R=302,L]
# Caching stuff <FilesMatch "\.(ico|jpg|jpeg|png|gif|js|css|swf)$"> Header set Cache-Control "public, max-age=3600" </FilesMatch>
# Compress text, html, javascript, css, xml! <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/xml text/css text/plain AddOutputFilterByType DEFLATE image/svg+xml application/xhtml+xml application/xml AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript application/json AddOutputFilterByType DEFLATE application/x-font-ttf application/x-font-otf AddOutputFilterByType DEFLATE font/truetype font/opentype </IfModule>
# Joomla! core SEF Section. RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] RewriteCond %{REQUEST_URI} !^/index\.php RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule .* index.php [L]
# PHP TWEAKSÂ php_value upload_max_filesize 200M php_value post_max_size 200M php_value max_input_vars 2000 php_value max_execution_time 120 php_value memory_limit 1024M
## BEGIN EXPIRES CACHINGÂ <IfModule mod_expires.c> ExpiresActive on ExpiresDefault "access plus 1 month" ExpiresByType text/cache-manifest "access plus 0 seconds" ExpiresByType text/html "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/rss+xml "access plus 1 hour" ExpiresByType application/atom+xml "access plus 1 hour" ExpiresByType image/x-icon "access plus 1 week" ExpiresByType image/gif "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/jpg "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType video/ogg "access plus 1 month" ExpiresByType audio/ogg "access plus 1 month" ExpiresByType video/mp4 "access plus 1 month" ExpiresByType video/webm "access plus 1 month" ExpiresByType text/x-component "access plus 1 month" ExpiresByType application/x-font-ttf "access plus 1 month" ExpiresByType font/opentype "access plus 1 month" ExpiresByType application/x-font-woff "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month" ExpiresByType application/vnd.ms-fontobject "access plus 1 month" ExpiresByType text/css "access plus 1 year" ExpiresByType text/javascript "access plus 1 year" ExpiresByType application/javascript "access plus 1 year" <IfModule mod_headers.c> Header append Cache-Control "public" </IfModule> </IfModule> ## END EXPIRES CACHING