Last active
March 18, 2019 22:34
-
-
Save kalamun/5d65a47972e26f231cebc1813ef4287e to your computer and use it in GitHub Desktop.
.htaccess setup for performance and security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#php_value display_errors Off | |
# | |
# WEB PERFORMANCE | |
# Remove `ETags` as resources are sent with far-future expires headers. | |
# `FileETag None` doesn't work in all cases. | |
<IfModule mod_headers.c> | |
Header unset ETag | |
</IfModule> | |
FileETag None | |
# Serve resources with far-future expires headers. | |
<IfModule mod_expires.c> | |
ExpiresActive on | |
ExpiresDefault "access plus 1 month" | |
ExpiresByType text/css "access plus 1 year" | |
ExpiresByType application/atom+xml "access plus 1 hour" | |
ExpiresByType application/rdf+xml "access plus 1 hour" | |
ExpiresByType application/rss+xml "access plus 1 hour" | |
ExpiresByType application/json "access plus 0 seconds" | |
ExpiresByType application/ld+json "access plus 0 seconds" | |
ExpiresByType application/schema+json "access plus 0 seconds" | |
ExpiresByType application/vnd.geo+json "access plus 0 seconds" | |
ExpiresByType application/xml "access plus 0 seconds" | |
ExpiresByType text/xml "access plus 0 seconds" | |
ExpiresByType image/vnd.microsoft.icon "access plus 1 week" | |
ExpiresByType image/x-icon "access plus 1 week" | |
ExpiresByType text/html "access plus 0 seconds" | |
ExpiresByType application/javascript "access plus 1 year" | |
ExpiresByType application/x-javascript "access plus 1 year" | |
ExpiresByType text/javascript "access plus 1 year" | |
ExpiresByType application/manifest+json "access plus 1 week" | |
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" | |
ExpiresByType text/cache-manifest "access plus 0 seconds" | |
ExpiresByType audio/ogg "access plus 1 month" | |
ExpiresByType image/bmp "access plus 1 month" | |
ExpiresByType image/gif "access plus 1 month" | |
ExpiresByType image/jpeg "access plus 1 month" | |
ExpiresByType image/png "access plus 1 month" | |
ExpiresByType image/svg+xml "access plus 1 month" | |
ExpiresByType image/webp "access plus 1 month" | |
ExpiresByType video/mp4 "access plus 1 month" | |
ExpiresByType video/ogg "access plus 1 month" | |
ExpiresByType video/webm "access plus 1 month" | |
ExpiresByType application/vnd.ms-fontobject "access plus 1 month" | |
ExpiresByType font/eot "access plus 1 month" | |
ExpiresByType font/opentype "access plus 1 month" | |
ExpiresByType application/x-font-ttf "access plus 1 month" | |
ExpiresByType application/font-woff "access plus 1 month" | |
ExpiresByType application/x-font-woff "access plus 1 month" | |
ExpiresByType font/woff "access plus 1 month" | |
ExpiresByType application/font-woff2 "access plus 1 month" | |
ExpiresByType text/x-cross-domain-policy "access plus 1 week" | |
</IfModule> | |
# | |
# MEDIA TYPES AND CHARACTER ENCODINGS | |
# Serve resources with the proper media types (f.k.a. MIME types). | |
<IfModule mod_mime.c> | |
AddType application/atom+xml atom | |
AddType application/json json map topojson | |
AddType application/ld+json jsonld | |
AddType application/rss+xml rss | |
AddType application/vnd.geo+json geojson | |
AddType application/xml rdf xml | |
AddType application/javascript js | |
AddType application/manifest+json webmanifest | |
AddType application/x-web-app-manifest+json webapp | |
AddType text/cache-manifest appcache | |
AddType audio/mp4 f4a f4b m4a | |
AddType audio/ogg oga ogg opus | |
AddType image/bmp bmp | |
AddType image/svg+xml svg svgz | |
AddType image/webp webp | |
AddType video/mp4 f4v f4p m4v mp4 | |
AddType video/ogg ogv | |
AddType video/webm webm | |
AddType video/x-flv flv | |
AddType image/x-icon cur ico | |
AddType application/font-woff woff | |
AddType application/font-woff2 woff2 | |
AddType application/vnd.ms-fontobject eot | |
AddType application/x-font-ttf ttc ttf | |
AddType font/opentype otf | |
AddType application/octet-stream safariextz | |
AddType application/x-bb-appworld bbaw | |
AddType application/x-chrome-extension crx | |
AddType application/x-opera-extension oex | |
AddType application/x-xpinstall xpi | |
AddType text/vcard vcard vcf | |
AddType text/vnd.rim.location.xloc xloc | |
AddType text/vtt vtt | |
AddType text/x-component htc | |
</IfModule> | |
# Serve all resources labeled as `text/html` or `text/plain` | |
# with the media type `charset` parameter set to `UTF-8`. | |
AddDefaultCharset utf-8 | |
# Serve the following file types with the media type `charset` | |
# parameter set to `UTF-8`. | |
<IfModule mod_mime.c> | |
AddCharset utf-8 .atom \ | |
.bbaw \ | |
.css \ | |
.geojson \ | |
.js \ | |
.json \ | |
.jsonld \ | |
.manifest \ | |
.rdf \ | |
.rss \ | |
.topojson \ | |
.vtt \ | |
.webapp \ | |
.webmanifest \ | |
.xloc \ | |
.xml | |
</IfModule> | |
# | |
# SECURITY | |
# Protect website against clickjacking. | |
<IfModule mod_headers.c> | |
Header set X-Frame-Options "DENY" | |
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
Header unset X-Frame-Options | |
</FilesMatch> | |
</IfModule> | |
# Block access to all hidden files and directories with the exception of | |
# the visible content from within the `/.well-known/` hidden directory. | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] | |
RewriteCond %{SCRIPT_FILENAME} -d [OR] | |
RewriteCond %{SCRIPT_FILENAME} -f | |
RewriteRule "(^|/)\." - [F] | |
</IfModule> | |
# Block access to files that can expose sensitive information. | |
<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$"> | |
<IfModule mod_authz_core.c> | |
Require all denied | |
</IfModule> | |
</FilesMatch> | |
# Prevent some browsers from MIME-sniffing the response. | |
<IfModule mod_headers.c> | |
Header set X-Content-Type-Options "nosniff" | |
</IfModule> | |
# Remove the `X-Powered-By` response header | |
<IfModule mod_headers.c> | |
Header unset X-Powered-By | |
</IfModule> | |
# Prevent Apache from adding a trailing footer line containing | |
# information about the server to the server-generated documents | |
ServerSignature Off | |
# Force Internet Explorer 8/9/10 to render pages in the highest mode | |
# available in the various cases when it may not. | |
<IfModule mod_headers.c> | |
Header set X-UA-Compatible "IE=edge" | |
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
Header unset X-UA-Compatible | |
</FilesMatch> | |
</IfModule> | |
# Allow cross-origin access to web fonts. | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(eot|otf|tt[cf]|woff2?)$"> | |
Header set Access-Control-Allow-Origin "*" | |
</FilesMatch> | |
</IfModule> | |
# Disable the pattern matching based on filenames. | |
Options -MultiViews | |
# Prevent directory listing | |
Options -Indexes | |
# Force client-side SSL redirection. | |
<IfModule mod_headers.c> | |
Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" | |
</IfModule> | |
# set cookies httponly | |
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure | |
# http redirect to https | |
RewriteEngine On | |
RewriteCond %{SERVER_PORT} 80 | |
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R,L] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment