Webmaster Security

Htaccess tips **EDITED 03/01/2019**

Submitted by sudo rm rf, , Thread ID: 123047

Thread Closed
sudo rm rf
User Icon
I need BTC donations
Level:
6
Reputation:
18
Posts:
438
Likes:
68
Credits:
235
01-03-2019, 07:38 AM
This post was last modified: 02-03-2019, 08:16 AM by sudo rm rf
#1
One of the most mistakes I see new web devs or web sites owners make is forget to make and use an .htaccess file. one of the main functions for this is protecting your site and forcing simple rules to help either force users to go to a certain extension or force https. This is something that is just as important as the site it self. below are a few of the simple rules that I use on all sites I build.


#Force HTTPS
Code:
[color=#ffffff][size=x-small]RewriteEngine On[/size][/color]
[color=#ffffff][size=x-small]RewriteCond %{HTTPS} off[/size][/color]
[color=#ffffff][size=x-small]RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} {L,R=301}[/size][/color]


# Add www to any URLs that do not have them
Code:
[size=x-small][color=#ffffff]RewriteEngine on[/color][/size]
[size=x-small][color=#ffffff]RewriteCond %{HTTP_HOST} !^www\.[/color][/size]
[size=x-small][color=#ffffff]RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L][/color][/size]


# Remove www from any URLs that have them
Code:
[size=x-small][color=#ffffff]RewriteEngine on[/color][/size]
[size=x-small][color=#ffffff]RewriteCond %{HTTP_HOST} ^www\.[/color][/size]
[size=x-small][color=#ffffff]RewriteRule ^(.*)$ http://[/color][/size][i][color=#ffffff][size=small]example.com[/size][/color][/i][size=x-small][color=#ffffff]/$1 [R=301,L][/color][/size]


# Add Security Headers
Code:
[color=#ffffff][size=x-small]<IfModule mod_headers.c>[/size][/color]
[color=#ffffff][size=x-small]# Protect against XSS attacks[/size][/color]
[color=#ffffff][size=x-small]Header set X-XSS-Protection "1; mode=block"[/size][/color]
[color=#ffffff][size=x-small]</IfModule>[/size][/color]


# Deny access to .htaccess
Code:
<Files .htaccess>
Order allow,deny
Deny from all
</Files>


# Disable directory browsing
Code:
Options -Indexes


# Hide files of type .png, .zip, .jpg, .gif and .doc from listing
Code:
[font=Consolas, monospace][font=Consolas, monospace][font=Consolas, monospace][size=small][color=#ffffff]IndexIgnore *.png *.zip *.jpg *.gif *.doc[/color][/size][/font][/font][/font]


# Hide the contents of directories
Code:
IndexIgnore *


# Deny access to files with extensions .ini, .psd, .log, .sh
Code:
[color=#ffffff][size=medium]<FilesMatch "\.(ini|psd|log|sh)$">[/size][/color]
[color=#ffffff][size=medium]Order allow,deny[/size][/color]
[color=#ffffff][size=medium]Deny from all[/size][/color]
[color=#ffffff][size=medium]</FilesMatch>[/size][/color]


# Deny access to filenames starting with dot(.)
Code:
[color=#ffffff][size=medium]<FilesMatch "^\.">[/size][/color]
[color=#ffffff][size=medium]Order allow,deny[/size][/color]
[color=#ffffff][size=medium]Deny from all[/size][/color]
[color=#ffffff][size=medium]</FilesMatch>[/size][/color]


# Password protect files
Code:
[color=#ffffff]<FilesMatch "^(execute|index|myfile|anotherfile)*$">[/color]
[color=#ffffff]AuthType Basic[/color]
[color=#ffffff]AuthName "Mypassword"[/color]
[color=#ffffff]AuthUserFile [/color][i][color=#ffffff]<Full Server Path to .htpasswd file>[/color][/i][color=#ffffff]/.htpasswd[/color]
[color=#ffffff]Require valid-user[/color]
[color=#ffffff]</FilesMatch>[/color]


#Prevent Directory Listing
Code:
Options -Indexes


# Prevent Image Hotlinking

Code:
RewriteEngine ON
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpeg|png)$ - [F].


Do you use anything else that you may find useful? Have any questions or need any help? Let me know and ill do what I can to help out.
7
dcsg, Eldremor, IPushMyFingersIntoMyEyes, janathan, mamito, QuinNull, Windlestraw

Users browsing this thread: 1 Guest(s)