Webmaster Security
How to help secure a website with htaccess
Submitted by encrypted, 31-01-2018, 06:54 PM, Thread ID: 72538
Thread Closed
Here is a few examples of code I use in my htaccess files
Protect against XSS attacks
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Protect against page-framing and click-jacking
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
Protect against content-sniffing
#X-Content-Type nosniff
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
<IfModule mod_headers.c>
Header set X-Content-Type-Options nosniff
All three at once
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Redirect to https and www
#Canonical https/www
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule (.*) https://www.%1/$1 [R=301,L]
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(.*)$ [NC]
RewriteRule (.*) https://www.%1/$1 [R=301,L]
Redirect to https and non-www
# Canonical HTTPS/WWW
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [L,R=301]
<IfModule mod_rewrite.c>
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.com [NC]
RewriteRule (.*) https://example.com/$1 [L,R=301]
Disguise all file extensions
#serve all files as .php
ForceType application/x-httpd-php
Protect .htaccess
[spoiler]# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order allow,deny
Deny from all
Satisfy all
ForceType application/x-httpd-php
Protect .htaccess
[spoiler]# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order allow,deny
Deny from all
Satisfy all
Protect .htpasswd
# protect .htpasswd
<Files ~ "^.*\.([Hh][Tt][Pp])">
Order allow,deny
Deny from all
Satisfy all
<Files ~ "^.*\.([Hh][Tt][Pp])">
Order allow,deny
Deny from all
Satisfy all
Protect both
# protect .htaccess and .htpasswd
<Files ~ "^.*\.([Hh][Tt])">
Order allow,deny
Deny from all
Satisfy all
<Files ~ "^.*\.([Hh][Tt])">
Order allow,deny
Deny from all
Satisfy all
Add mod_mime suport
<IfModule mod_mime.c>
DefaultLanguage en
AddLanguage en-US .html .css .js
AddCharset utf-8 .html .css .js .xml .json .rss .atom
AddType application/javascript js jsonp
AddType application/json json
AddType font/opentype otf
AddType application/font-woff woff
AddType application/x-font-woff woff
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttc ttf
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
AddType audio/mp4 m4a f4a f4b
AddType audio/ogg oga ogg
AddType video/mp4 mp4 m4v f4v f4p
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-shockwave-flash swf
AddType application/x-web-app-manifest+json webapp
AddType application/x-xpinstall xpi
AddType application/xml atom rdf rss xml
AddType application/vnd.openxmlformats .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
AddType text/cache-manifest appcache manifest
AddType text/vtt vtt
AddType text/x-component htc
AddType text/x-vcard vcf
AddType image/webp webp
AddType image/x-icon ico
<IfModule mod_mime.c>
DefaultLanguage en
AddLanguage en-US .html .css .js
AddCharset utf-8 .html .css .js .xml .json .rss .atom
AddType application/javascript js jsonp
AddType application/json json
AddType font/opentype otf
AddType application/font-woff woff
AddType application/x-font-woff woff
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttc ttf
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
AddType audio/mp4 m4a f4a f4b
AddType audio/ogg oga ogg
AddType video/mp4 mp4 m4v f4v f4p
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-shockwave-flash swf
AddType application/x-web-app-manifest+json webapp
AddType application/x-xpinstall xpi
AddType application/xml atom rdf rss xml
AddType application/vnd.openxmlformats .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
AddType text/cache-manifest appcache manifest
AddType text/vtt vtt
AddType text/x-component htc
AddType text/x-vcard vcf
AddType image/webp webp
AddType image/x-icon ico
Users browsing this thread: 1 Guest(s)