Webmaster Security

How to help secure a website with htaccess

Submitted by encrypted, , Thread ID: 72538

Thread Closed
31-01-2018, 06:54 PM
This post was last modified: 31-01-2018, 07:10 PM by encrypted
#1
Here is a few examples of code I use in my htaccess files

Protect against XSS attacks
#X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>


Protect against page-framing and click-jacking
#X-Frame-Options
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>


Protect against content-sniffing
#X-Content-Type nosniff
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>


All three at once
#XXS/Content-sniffing/page-framing
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
</IfModule>


Redirect to https and www
#Canonical https/www
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule (.*) https://www.%1/$1 [R=301,L]
</IfModule>


Redirect to https and non-www
# Canonical HTTPS/WWW
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [L,R=301]
</IfModule>


Disguise all file extensions
#serve all files as .php
ForceType application/x-httpd-php

Protect .htaccess
[spoiler]# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order allow,deny
Deny from all
Satisfy all
</Files>


Protect .htpasswd
# protect .htpasswd
<Files ~ "^.*\.([Hh][Tt][Pp])">
Order allow,deny
Deny from all
Satisfy all
</Files>


Protect both
# protect .htaccess and .htpasswd
<Files ~ "^.*\.([Hh][Tt])">
Order allow,deny
Deny from all
Satisfy all
</Files>


Add mod_mime suport
# MIME TYPES
<IfModule mod_mime.c>
# DEFAULTS
DefaultLanguage en
AddLanguage en-US .html .css .js
AddCharset utf-8 .html .css .js .xml .json .rss .atom
# JAVASCRIPT
AddType application/javascript js jsonp
AddType application/json json
# FONTS
AddType font/opentype otf
AddType application/font-woff woff
AddType application/x-font-woff woff
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttc ttf
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# AUDIO
AddType audio/mp4 m4a f4a f4b
AddType audio/ogg oga ogg
# VIDEO
AddType video/mp4 mp4 m4v f4v f4p
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
# OTHERS
AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-shockwave-flash swf
AddType application/x-web-app-manifest+json webapp
AddType application/x-xpinstall xpi
AddType application/xml atom rdf rss xml
AddType application/vnd.openxmlformats .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
AddType text/cache-manifest appcache manifest
AddType text/vtt vtt
AddType text/x-component htc
AddType text/x-vcard vcf
AddType image/webp webp
AddType image/x-icon ico
</IfModule>

RE: How to help secure a website with htaccess

#2
nice. makes life easier having everything in one place

RE: How to help secure a website with htaccess

#3
Haven't really thought about having htaccess do the work for XSS, normally I just create a secret and hash it with some identifier for the user

RE: How to help secure a website with htaccess

#4
Now keep in mind, if you serve ALL files as PHP and you have any form of upload, you could get owned.

Users browsing this thread: 1 Guest(s)