Htaccess tips EDITED 03/01/2019

sudo rm rf · 01-03-2019, 07:38 AM

One of the most mistakes I see new web devs or web sites owners make is forget to make and use an .htaccess file. one of the main functions for this is protecting your site and forcing simple rules to help either force users to go to a certain extension or force https. This is something that is just as important as the site it self. below are a few of the simple rules that I use on all sites I build.

#Force HTTPS

Code:
[color=#ffffff][size=x-small]RewriteEngine On[/size][/color]
 [color=#ffffff][size=x-small]RewriteCond %{HTTPS} off[/size][/color]
 [color=#ffffff][size=x-small]RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} {L,R=301}[/size][/color]

# Add www to any URLs that do not have them

Code:
[size=x-small][color=#ffffff]RewriteEngine on[/color][/size]
 [size=x-small][color=#ffffff]RewriteCond %{HTTP_HOST} !^www\.[/color][/size]
 [size=x-small][color=#ffffff]RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L][/color][/size]

# Remove www from any URLs that have them

Code:
[size=x-small][color=#ffffff]RewriteEngine on[/color][/size]
 [size=x-small][color=#ffffff]RewriteCond %{HTTP_HOST} ^www\.[/color][/size]
 [size=x-small][color=#ffffff]RewriteRule ^(.*)$ http://[/color][/size][i][color=#ffffff][size=small]example.com[/size][/color][/i][size=x-small][color=#ffffff]/$1 [R=301,L][/color][/size]

# Add Security Headers

Code:
[color=#ffffff][size=x-small]<IfModule mod_headers.c>[/size][/color]
 [color=#ffffff][size=x-small]# Protect against XSS attacks[/size][/color]
 [color=#ffffff][size=x-small]Header set X-XSS-Protection "1; mode=block"[/size][/color]
 [color=#ffffff][size=x-small]</IfModule>[/size][/color]

# Deny access to .htaccess

Code:
<Files .htaccess>
 Order allow,deny
 Deny from all
 </Files>

# Disable directory browsing

Code:
Options -Indexes

# Hide files of type .png, .zip, .jpg, .gif and .doc from listing

Code:
[font=Consolas, monospace][font=Consolas, monospace][font=Consolas, monospace][size=small][color=#ffffff]IndexIgnore *.png *.zip *.jpg *.gif *.doc[/color][/size][/font][/font][/font]

# Hide the contents of directories

Code:
IndexIgnore *

# Deny access to files with extensions .ini, .psd, .log, .sh

Code:
[color=#ffffff][size=medium]<FilesMatch "\.(ini|psd|log|sh)$">[/size][/color]
 [color=#ffffff][size=medium]Order allow,deny[/size][/color]
 [color=#ffffff][size=medium]Deny from all[/size][/color]
 [color=#ffffff][size=medium]</FilesMatch>[/size][/color]

# Deny access to filenames starting with dot(.)

Code:
[color=#ffffff][size=medium]<FilesMatch "^\.">[/size][/color]
 [color=#ffffff][size=medium]Order allow,deny[/size][/color]
 [color=#ffffff][size=medium]Deny from all[/size][/color]
 [color=#ffffff][size=medium]</FilesMatch>[/size][/color]

# Password protect files

Code:
[color=#ffffff]<FilesMatch "^(execute|index|myfile|anotherfile)*$">[/color]
 [color=#ffffff]AuthType Basic[/color]
 [color=#ffffff]AuthName "Mypassword"[/color]
 [color=#ffffff]AuthUserFile [/color][i][color=#ffffff]<Full Server Path to .htpasswd file>[/color][/i][color=#ffffff]/.htpasswd[/color]
 [color=#ffffff]Require valid-user[/color]
 [color=#ffffff]</FilesMatch>[/color]

#Prevent Directory Listing

Code:
Options -Indexes

# Prevent Image Hotlinking

Code:
RewriteEngine ON
 RewriteCond %{HTTP_REFERER} !^$
 RewriteCond %{HTTP_REFERERER} !^http://(www\.)?mydomain.com/.*$ [NC]
 RewriteRule \.(gif|jpeg|png)$ - [F].

Do you use anything else that you may find useful? Have any questions or need any help? Let me know and ill do what I can to help out.

Htaccess tips **EDITED 03/01/2019**

Submitted by sudo rm rf, 01-03-2019, 07:38 AM, Thread ID: 123047

Htaccess tips EDITED 03/01/2019