Community
All Features
Overview of all exisiting features.
Arcade
Play various games in the arcade.
Awards
Earn awards for different tasks.
Bug Tracker
Report site related bugs the right way.
Credits
Everything related to credits.
Groups
A list of user run groups you can join.
Help Center
Official regulations and help documents.
Member List
A list of all registered members.
Latest Announcements
Staff Recruitment | September 2022
Changelog #34 - 03/04/2022
April Update - Index Redesign and Unlock Content Experiment
Support
Shop
Upgrade
Log In
Create Account
NulledBB
General
Technology & Development
Webmaster Security
How to help secure a website with htaccess
Create an account
Login
PrivateAlps.net - Offshore Cloud Services | VPS/RDP/VPN - Dedicated Servers - Webhosting - TOR Services - Auto Deploy
ADULTSLAYER.STORE 💎 #1 PORN SHOP | 700+ Hot Products: Brazzers, Teamskeet, Pornhub, NaughtyAmerica, Many More! | 💸 Secure PayPal & Card Payments | Satisfaction Guaranteed! 🔥
Webmaster Security
How to help secure a website with htaccess
Submitted by encrypted,
31-01-2018, 06:54 PM
, Thread ID: 72538
Thread Closed
Reply
31-01-2018, 06:54 PM
This post was last modified: 31-01-2018, 07:10 PM by
encrypted
#1
Here is a few examples of code I use in my htaccess files
Protect against XSS attacks
#X-XSS-Protection
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Protect against page-framing and click-jacking
#X-Frame-Options
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
Protect against content-sniffing
#X-Content-Type nosniff
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
</IfModule>
All three at once
#XXS/Content-sniffing/page-framing
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
</IfModule>
Redirect to https and www
#Canonical https/www
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule (.*) https://www.%1/$1 [R=301,L]
</IfModule>
Redirect to https and non-www
# Canonical HTTPS/WWW
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*)
https://example.com/$1
[L,R=301]
</IfModule>
Disguise all file extensions
#serve all files as .php
ForceType application/x-httpd-php
Protect .htaccess
[spoiler]# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order allow,deny
Deny from all
Satisfy all
</Files>
Protect .htpasswd
# protect .htpasswd
<Files ~ "^.*\.([Hh][Tt][Pp])">
Order allow,deny
Deny from all
Satisfy all
</Files>
Protect both
# protect .htaccess and .htpasswd
<Files ~ "^.*\.([Hh][Tt])">
Order allow,deny
Deny from all
Satisfy all
</Files>
Add mod_mime suport
# MIME TYPES
<IfModule mod_mime.c>
# DEFAULTS
DefaultLanguage en
AddLanguage en-US .html .css .js
AddCharset utf-8 .html .css .js .xml .json .rss .atom
# JAVASCRIPT
AddType application/javascript js jsonp
AddType application/json json
# FONTS
AddType font/opentype otf
AddType application/font-woff woff
AddType application/x-font-woff woff
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttc ttf
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# AUDIO
AddType audio/mp4 m4a f4a f4b
AddType audio/ogg oga ogg
# VIDEO
AddType video/mp4 mp4 m4v f4v f4p
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
# OTHERS
AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-shockwave-flash swf
AddType application/x-web-app-manifest+json webapp
AddType application/x-xpinstall xpi
AddType application/xml atom rdf rss xml
AddType application/vnd.openxmlformats .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
AddType text/cache-manifest appcache manifest
AddType text/vtt vtt
AddType text/x-component htc
AddType text/x-vcard vcf
AddType image/webp webp
AddType image/x-icon ico
</IfModule>
More
1
cryptokash
RE: How to help secure a website with htaccess
19-02-2018, 09:17 PM
#2
nice. makes life easier having everything in one place
More
RE: How to help secure a website with htaccess
19-02-2018, 09:20 PM
#3
Haven't really thought about having htaccess do the work for XSS, normally I just create a secret and hash it with some identifier for the user
More
RE: How to help secure a website with htaccess
19-02-2018, 09:21 PM
#4
Now keep in mind, if you serve ALL files as PHP and you have any form of upload, you could get owned.
More
Users browsing this thread: 1 Guest(s)