Some additional minor .htaccess updates

2025-08-09 00:06:55 +02:00 · 2019-07-03 13:18:15 -04:00
parent a336acfaa4
commit 05bbfe0ba1
1 changed files with 58 additions and 18 deletions
--- a/htaccess.txt
+++ b/htaccess.txt
@@ -3,16 +3,22 @@
 # @version 3.0
 # @htaccessVersion 301
 #################################################################################################
-
+#
 # Upgrading htaccess (or index) version 300 to 301
 # -----------------------------------------------------------------------------------------------
-# If your htaccess/index version is 300, upgrade to this version by replacing all of section #15
+# If you never modified your previous .htaccess file, then you can simply replace it with this
-# (Access Restrictions). Also take a look at section #9, which you might also consider replacing 
+# one. If you have modified your .htaccess file, then you will want to copy/paste some updates
-# if using HTTPS, though it is not required. Following that, optionally review the rest of the 
+# to the old one instead:
-# file to see if there are any other changes you also want to apply. When finished, add a line 
+
-# at the top identical to the "htaccessVersion 301" that you see at the top of this file. This 
+# If your htaccess/index version is 300, upgrade to this version by replacing all of sections #5
-# tells ProcessWire your .htaccess file is up-to-date. If you never customized your original 
+# and #15 (Access Restrictions). Also take a look at section #9, which you might also consider 
-# .htaccess file, then of course you can also just replace it with this one. 
+# replacing if using HTTPS, though it is not required. (For instance, HSTS might be worthwhile)
 # 
 # Following that, optionally review the rest of the file to see if there are any other changes 
 # you also want to apply. Sections tagged "(v301)" are new or have significant changes. 
 # 
 # When finished, add a line at the top identical to the "htaccessVersion 301" that you see at 
 # the top of this file. This tells ProcessWire your .htaccess file is up-to-date. 
 # 
 # Resolving 500 errors
 # -----------------------------------------------------------------------------------------------
@@ -33,6 +39,7 @@
 # change. Search this file for instances of "(L)" for details. 
 #
 # -----------------------------------------------------------------------------------------------
 # 1. Apache Options 
 #
@@ -45,7 +52,7 @@
 # Do not show directory indexes (strongly recommended)
 Options -Indexes
-# Do not use multiviews
+# Do not use multiviews (v301)
 Options -MultiViews
 # Do follow symbolic links
@@ -55,15 +62,17 @@ Options +FollowSymLinks
 # Character encoding: Serve text/html or text/plain as UTF-8
 AddDefaultCharset UTF-8
 # -----------------------------------------------------------------------------------------------
 # 2. ErrorDocument settings: Have ProcessWire handle 404s 
 #
-# For options and optimizations, see: (O)
+# For options and optimizations (O) see: 
 # https://processwire.com/blog/posts/optimizing-404s-in-processwire/
 # -----------------------------------------------------------------------------------------------
 ErrorDocument 404 /index.php
 # -----------------------------------------------------------------------------------------------
 # 3. Handle request for missing favicon.ico/robots.txt files (no ending quote for Apache 1.3)
 # -----------------------------------------------------------------------------------------------
@@ -76,6 +85,7 @@ ErrorDocument 404 /index.php
  ErrorDocument 404 "The requested file robots.txt was not found.
 </Files>
 # -----------------------------------------------------------------------------------------------
 # 4. Protect from XSS with Apache headers
 # -----------------------------------------------------------------------------------------------
@@ -92,14 +102,18 @@ ErrorDocument 404 /index.php
  # Header set X-Content-Type-Options "nosniff" 
 </IfModule>
 # -----------------------------------------------------------------------------------------------
-# 5. Prevent access to various types of files
+# 5. Prevent access to various types of files (v301)
 #
 # Note that some of these rules are duplicated by RewriteRules or other .htaccess files, as we
 # try to maintain two layers of protection when/where possible. 
 # -----------------------------------------------------------------------------------------------
-<FilesMatch "\.(inc|info|info\.json|module|sh|sql)$|^\..*$|composer\.(json|lock)$">
+# 5A. Block access to inc, info, info.json/php, module/php, sh, sql and composer files
 # -----------------------------------------------------------------------------------------------
 <FilesMatch "\.(inc|info|info\.(json|php)|module|module\.php|sh|sql)$|^\..*$|composer\.(json|lock)$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
@@ -108,7 +122,11 @@ ErrorDocument 404 /index.php
  </IfModule>
 </FilesMatch>
-<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$">
+
 # 5B. Block bak, conf, dist, ini, log, orig, sh, sql, swo, swp, ~, and more
 # -----------------------------------------------------------------------------------------------
 <FilesMatch "(^#.*#|\.(bak|conf|dist|in[ci]|log|orig|sh|sql|sw[op])|~)$">
  <IfModule mod_authz_core.c>
     Require all denied
  </IfModule>
@@ -117,6 +135,7 @@ ErrorDocument 404 /index.php
  </IfModule>
 </FilesMatch>
 # -----------------------------------------------------------------------------------------------
 # 6. Override a few PHP settings that can't be changed at runtime (not required)
 # Note: try commenting out this entire section below if getting Apache (500) errors.
@@ -128,12 +147,14 @@ ErrorDocument 404 /index.php
  php_flag register_globals		off
 </IfModule>
 # -----------------------------------------------------------------------------------------------
 # 7. Set default directory index files
 # -----------------------------------------------------------------------------------------------
 DirectoryIndex index.php index.html index.htm
 # -----------------------------------------------------------------------------------------------
 # 8. Enable Apache mod_rewrite (required)
 # -----------------------------------------------------------------------------------------------
@@ -142,6 +163,7 @@ DirectoryIndex index.php index.html index.htm
  RewriteEngine On
  # 8A. Optionally (O) set a rewrite base if rewrites are not working properly on your server.
  # -----------------------------------------------------------------------------------------------
  # In addition, if your site directory starts with a "~" you will most likely have to use this.
@@ -156,7 +178,7 @@ DirectoryIndex index.php index.html index.htm
  # 8B. Set an environment variable so the installer can detect that mod_rewrite is active.
  # -----------------------------------------------------------------------------------------------
  # Note that some web hosts don't support this. If you get a (500) error, try commenting out this 
-  # SetEnv line below. It is okay to remove these lines after ProcessWire installation. 
+  # SetEnv line below. 
  <IfModule mod_env.c>
    SetEnv HTTP_MOD_REWRITE On
@@ -203,7 +225,7 @@ DirectoryIndex index.php index.html index.htm
  # RewriteRule ^ - [env=proto:http]
-  # 9F. Optionally (O) tell web browsers to only allow access via Strict-Transport-Security (HSTS)
+  # 9F. Tell web browsers to only allow access via HSTS: Strict-Transport-Security (O) (v301)
  # -----------------------------------------------------------------------------------------------
  # This forces client-side SSL redirection. Before enabling be absolutely certain you can 
  # always serve via HTTPS because it becomes non-revokable for the duration of your max-age. 
@@ -218,8 +240,10 @@ DirectoryIndex index.php index.html index.htm
    # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  </IfModule>
  # Sections 10 and 11 intentionally omitted
  # -----------------------------------------------------------------------------------------------
  # 12. Access Restrictions: Keep web users out of dirs or files that begin with a period,
  # but let services like Lets Encrypt use the webroot authentication method.
@@ -263,7 +287,10 @@ DirectoryIndex index.php index.html index.htm
  # -----------------------------------------------------------------------------------------------
-  # 15. Access Restrictions: Keep users out of some files and directories
+  # 15. Access Restrictions (v301)
  # -----------------------------------------------------------------------------------------------
  # 15A. Keep http requests out of specific files and directories
  # -----------------------------------------------------------------------------------------------
  # Prevent all the following rules from blocking images in site install directories 
@@ -318,6 +345,19 @@ DirectoryIndex index.php index.html index.htm
  RewriteRule ^.*$ - [F,L]
  # 15B. Block archive file types commonly used for backup purposes (O)
  # -----------------------------------------------------------------------------------------------
  # This blocks requests for zip, rar, tar, gz, and tgz files that are sometimes left on servers
  # as backup files, and thus can be problematic for security. This rule blocks those files 
  # unless they are located within the /site/assets/files/ directory. This is not enabled by 
  # default since there are many legitimate use cases for these files, so uncomment the lines 
  # below if you want to enable this.
  # RewriteCond %{REQUEST_URI} \.(zip|rar|tar|gz|tgz)$ [NC]
  # RewriteCond %{REQUEST_URI} !(^|/)(site|site-[^/]+)/assets/files/\d+/ [NC]
  # RewriteRule ^.*$ - [F,L]
  # PW-PAGENAME
  # ----------------------------------------------------------------------------------------------- 
  # 16A. Ensure that the URL follows the name-format specification required by PW