How to help secure a website with htaccess

encrypted · 31-01-2018, 06:54 PM

Here is a few examples of code I use in my htaccess files

Protect against XSS attacks

#X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

Protect against page-framing and click-jacking

#X-Frame-Options
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>

Protect against content-sniffing

#X-Content-Type nosniff
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>

All three at once

#XXS/Content-sniffing/page-framing
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
</IfModule>

Redirect to https and www

#Canonical https/www
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule (.*) https://www.%1/$1 [R=301,L]
</IfModule>

Redirect to https and non-www

# Canonical HTTPS/WWW
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [L,R=301]
</IfModule>

Disguise all file extensions

#serve all files as .php
ForceType application/x-httpd-php

Protect .htaccess
[spoiler]# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order allow,deny
Deny from all
Satisfy all
</Files>

Protect .htpasswd

# protect .htpasswd
<Files ~ "^.*\.([Hh][Tt][Pp])">
Order allow,deny
Deny from all
Satisfy all
</Files>

Protect both

# protect .htaccess and .htpasswd
<Files ~ "^.*\.([Hh][Tt])">
Order allow,deny
Deny from all
Satisfy all
</Files>

Add mod_mime suport

# MIME TYPES
<IfModule mod_mime.c>
# DEFAULTS
DefaultLanguage en
AddLanguage en-US .html .css .js
AddCharset utf-8 .html .css .js .xml .json .rss .atom
# JAVASCRIPT
AddType application/javascript js jsonp
AddType application/json json
# FONTS
AddType font/opentype otf
AddType application/font-woff woff
AddType application/x-font-woff woff
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttc ttf
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# AUDIO
AddType audio/mp4 m4a f4a f4b
AddType audio/ogg oga ogg
# VIDEO
AddType video/mp4 mp4 m4v f4v f4p
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
# OTHERS
AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-shockwave-flash swf
AddType application/x-web-app-manifest+json webapp
AddType application/x-xpinstall xpi
AddType application/xml atom rdf rss xml
AddType application/vnd.openxmlformats .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
AddType text/cache-manifest appcache manifest
AddType text/vtt vtt
AddType text/x-component htc
AddType text/x-vcard vcf
AddType image/webp webp
AddType image/x-icon ico
</IfModule>

takaku · 19-02-2018, 09:17 PM

nice. makes life easier having everything in one place

johnnypoo123 · 19-02-2018, 09:20 PM

Haven't really thought about having htaccess do the work for XSS, normally I just create a secret and hash it with some identifier for the user

Remi · 19-02-2018, 09:21 PM

Now keep in mind, if you serve ALL files as PHP and you have any form of upload, you could get owned.

How to help secure a website with htaccess

Submitted by encrypted, 31-01-2018, 06:54 PM, Thread ID: 72538

RE: How to help secure a website with htaccess

RE: How to help secure a website with htaccess

RE: How to help secure a website with htaccess