Created
March 4, 2020 18:49
-
-
Save zergiocosta/609d4a65e9c4ca6086ad26b94e190755 to your computer and use it in GitHub Desktop.
HTACCESS ref
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# ###################################################################### | |
# # CROSS-ORIGIN # | |
# ###################################################################### | |
# ---------------------------------------------------------------------- | |
# | Cross-origin images | | |
# ---------------------------------------------------------------------- | |
# Send the CORS header for images when browsers request it. | |
# | |
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image | |
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$"> | |
SetEnvIf Origin ":" IS_CORS | |
Header set Access-Control-Allow-Origin "*" env=IS_CORS | |
</FilesMatch> | |
</IfModule> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Cross-origin web fonts | | |
# ---------------------------------------------------------------------- | |
# Allow cross-origin access to web fonts. | |
<IfModule mod_headers.c> | |
<FilesMatch "\.(eot|otf|tt[cf]|woff2?)$"> | |
Header set Access-Control-Allow-Origin "*" | |
</FilesMatch> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Server-side technology information | | |
# ---------------------------------------------------------------------- | |
# Remove the `X-Powered-By` response header that: | |
# | |
# * is set by some frameworks and server-side languages | |
# (e.g.: ASP.NET, PHP), and its value contains information | |
# about them (e.g.: their name, version number) | |
# | |
# * doesn't provide any value to users, contributes to header | |
# bloat, and in some cases, the information it provides can | |
# expose vulnerabilities | |
# | |
# (!) If you can, you should disable the `X-Powered-By` header from the | |
# language / framework level (e.g.: for PHP, you can do that by setting | |
# `expose_php = off` in `php.ini`) | |
# | |
# https://php.net/manual/en/ini.core.php#ini.expose-php | |
<IfModule mod_headers.c> | |
Header unset X-Powered-By | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Server software information | | |
# ---------------------------------------------------------------------- | |
# Prevent Apache from adding a trailing footer line containing | |
# information about the server to the server-generated documents | |
# (e.g.: error messages, directory listings, etc.) | |
# | |
# https://httpd.apache.org/docs/current/mod/core.html#serversignature | |
ServerSignature Off | |
# ###################################################################### | |
# # INTERNET EXPLORER # | |
# ###################################################################### | |
# ---------------------------------------------------------------------- | |
# | Document modes | | |
# ---------------------------------------------------------------------- | |
# Force Internet Explorer 8/9/10 to render pages in the highest mode | |
# available in the various cases when it may not. | |
# | |
# https://hsivonen.fi/doctype/#ie8 | |
# | |
# (!) Starting with Internet Explorer 11, document modes are deprecated. | |
# If your business still relies on older web apps and services that were | |
# designed for older versions of Internet Explorer, you might want to | |
# consider enabling `Enterprise Mode` throughout your company. | |
# | |
# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode | |
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/ | |
<IfModule mod_headers.c> | |
Header set X-UA-Compatible "IE=edge" | |
# `mod_headers` cannot match based on the content-type, however, | |
# the `X-UA-Compatible` response header should be send only for | |
# HTML documents and not for the other resources. | |
<FilesMatch "\.(appcache|atom|bbaw|bmp|br|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|gz|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|wasm|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
Header unset X-UA-Compatible | |
</FilesMatch> | |
</IfModule> | |
# ###################################################################### | |
# # WordPress things # | |
# ###################################################################### | |
<IfModule mod_php5.c> | |
php_value max_input_vars 3000 | |
php_value max_input_time 120 | |
php_value max_execution_time 60 | |
</IfModule> | |
# DEVELOPMENT | |
# <IfModule mod_rewrite.c> | |
# RewriteEngine On | |
# RewriteBase /~vitorbritto/vibes | |
# RewriteRule ^index\.php$ - [L] | |
# RewriteCond %{REQUEST_FILENAME} !-f | |
# RewriteCond %{REQUEST_FILENAME} !-d | |
# RewriteRule . /~vitorbritto/vibes/index.php [L] | |
# </IfModule> | |
# DEVELOPMENT - DOCKER | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
RewriteRule ^index\.php$ - [L] | |
RewriteCond %{REQUEST_FILENAME} !-f | |
RewriteCond %{REQUEST_FILENAME} !-d | |
RewriteRule . /index.php [L] | |
</IfModule> | |
# PRODUCTION - REDIRECT 301 | |
# <IfModule mod_rewrite.c> | |
# RewriteEngine On | |
# RewriteCond %{SERVER_PORT} !^443$ | |
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] | |
# RewriteBase / | |
# RewriteRule ^index\.php$ - [L] | |
# RewriteCond %{REQUEST_FILENAME} !-f | |
# RewriteCond %{REQUEST_FILENAME} !-d | |
# RewriteRule . /index.php [L] | |
# </IfModule> | |
# BEGIN block author scans | |
RewriteEngine On | |
RewriteBase / | |
RewriteCond %{QUERY_STRING} (author=\d+) [NC] | |
RewriteRule .* - [F] | |
# END block author scans | |
# BEGIN block WordPress xmlrpc.php requests | |
<Files xmlrpc.php> | |
order deny,allow | |
deny from all | |
</Files> | |
# END block WordPress xmlrpc.php requests | |
# BEGIN protect htaccess from unauthorized access | |
<files ~ "^.*\.([Hh][Tt][Aa])"> | |
order allow,deny | |
deny from all | |
satisfy all | |
</files> | |
# END protect htaccess from unauthorized access | |
# BEGIN protect your WordPress configuration wp-config.php file | |
<files wp-config.php> | |
order allow,deny | |
deny from all | |
</files> | |
# END protect your WordPress configuration wp-config.php file | |
# BEGIN disable directory browsing | |
<IfModule mod_autoindex.c> | |
Options -Indexes | |
</IfModule> | |
# END disable directory browsing | |
# Block access to all hidden files and directories with the exception of | |
# the visible content from within the `/.well-known/` hidden directory. | |
# | |
# These types of files usually contain user preferences or the preserved | |
# state of an utility, and can include rather private places like, for | |
# example, the `.git` or `.svn` directories. | |
# | |
# The `/.well-known/` directory represents the standard (RFC 5785) path | |
# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, | |
# `/.well-known/keybase.txt`), and therefore, access to its visible | |
# content should not be blocked. | |
# | |
# https://www.mnot.net/blog/2010/04/07/well-known | |
# https://tools.ietf.org/html/rfc5785 | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] | |
RewriteCond %{SCRIPT_FILENAME} -d [OR] | |
RewriteCond %{SCRIPT_FILENAME} -f | |
RewriteRule "(^|/)\." - [F] | |
</IfModule> | |
# Block access to files that can expose sensitive information. | |
# | |
# By default, block access to backup and source files that may be | |
# left by some text editors and can pose a security risk when anyone | |
# has access to them. | |
# | |
# https://feross.org/cmsploit/ | |
# | |
# (!) Update the `<FilesMatch>` regular expression from below to | |
# include any files that might end up on your production server and | |
# can expose sensitive information about your website. These files may | |
# include: configuration files, files that contain metadata about the | |
# project (e.g.: project dependencies), build scripts, etc.. | |
<IfModule mod_authz_core.c> | |
<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$"> | |
Require all denied | |
</FilesMatch> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | Character encodings | | |
# ---------------------------------------------------------------------- | |
# Serve all resources labeled as `text/html` or `text/plain` | |
# with the media type `charset` parameter set to `UTF-8`. | |
# | |
# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset | |
AddDefaultCharset utf-8 | |
# Serve the following file types with the media type `charset` | |
# parameter set to `UTF-8`. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset | |
<IfModule mod_mime.c> | |
AddCharset utf-8 .atom \ | |
.bbaw \ | |
.css \ | |
.geojson \ | |
.ics \ | |
.js \ | |
.json \ | |
.jsonld \ | |
.manifest \ | |
.markdown \ | |
.md \ | |
.mjs \ | |
.rdf \ | |
.rss \ | |
.topojson \ | |
.vtt \ | |
.webapp \ | |
.webmanifest \ | |
.xloc \ | |
.xml | |
</IfModule> | |
# ###################################################################### | |
# # WEB PERFORMANCE # | |
# ###################################################################### | |
# ---------------------------------------------------------------------- | |
# | Compression | | |
# ---------------------------------------------------------------------- | |
<IfModule mod_deflate.c> | |
# Force compression for mangled `Accept-Encoding` request headers | |
# https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html | |
<IfModule mod_setenvif.c> | |
<IfModule mod_headers.c> | |
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
</IfModule> | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Compress all output labeled with one of the following media types. | |
# https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype | |
<IfModule mod_filter.c> | |
AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
"application/javascript" \ | |
"application/json" \ | |
"application/ld+json" \ | |
"application/manifest+json" \ | |
"application/rdf+xml" \ | |
"application/rss+xml" \ | |
"application/schema+json" \ | |
"application/vnd.geo+json" \ | |
"application/vnd.ms-fontobject" \ | |
"application/wasm" \ | |
"application/x-font-ttf" \ | |
"application/x-javascript" \ | |
"application/x-web-app-manifest+json" \ | |
"application/xhtml+xml" \ | |
"application/xml" \ | |
"font/collection" \ | |
"font/eot" \ | |
"font/opentype" \ | |
"font/otf" \ | |
"font/ttf" \ | |
"image/bmp" \ | |
"image/svg+xml" \ | |
"image/vnd.microsoft.icon" \ | |
"image/x-icon" \ | |
"text/cache-manifest" \ | |
"text/calendar" \ | |
"text/css" \ | |
"text/html" \ | |
"text/javascript" \ | |
"text/plain" \ | |
"text/markdown" \ | |
"text/vcard" \ | |
"text/vnd.rim.location.xloc" \ | |
"text/vtt" \ | |
"text/x-component" \ | |
"text/x-cross-domain-policy" \ | |
"text/xml" | |
</IfModule> | |
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | |
# Map the following filename extensions to the specified | |
# encoding type in order to make Apache serve the file types | |
# with the appropriate `Content-Encoding` response header | |
# (do note that this will NOT make Apache compress them!). | |
# | |
# If these files types would be served without an appropriate | |
# `Content-Enable` response header, client applications (e.g.: | |
# browsers) wouldn't know that they first need to uncompress | |
# the response, and thus, wouldn't be able to understand the | |
# content. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding | |
<IfModule mod_mime.c> | |
AddEncoding gzip svgz | |
</IfModule> | |
</IfModule> | |
# ---------------------------------------------------------------------- | |
# | ETags | | |
# ---------------------------------------------------------------------- | |
# Remove `ETags` as resources are sent with far-future expires headers. | |
# | |
# https://developer.yahoo.com/performance/rules.html#etags | |
# https://tools.ietf.org/html/rfc7232#section-2.3 | |
# `FileETag None` doesn't work in all cases. | |
<IfModule mod_headers.c> | |
Header unset ETag | |
</IfModule> | |
FileETag None | |
# ---------------------------------------------------------------------- | |
# | Expires headers | | |
# ---------------------------------------------------------------------- | |
# Serve resources with far-future expires headers. | |
# | |
# (!) If you don't control versioning with filename-based | |
# cache busting, you should consider lowering the cache times | |
# to something like one week. | |
# | |
# https://httpd.apache.org/docs/current/mod/mod_expires.html | |
<IfModule mod_expires.c> | |
ExpiresActive on | |
ExpiresDefault "access plus 1 month" | |
# CSS | |
ExpiresByType text/css "access plus 1 year" | |
# Data interchange | |
ExpiresByType application/atom+xml "access plus 1 hour" | |
ExpiresByType application/rdf+xml "access plus 1 hour" | |
ExpiresByType application/rss+xml "access plus 1 hour" | |
ExpiresByType application/json "access plus 0 seconds" | |
ExpiresByType application/ld+json "access plus 0 seconds" | |
ExpiresByType application/schema+json "access plus 0 seconds" | |
ExpiresByType application/vnd.geo+json "access plus 0 seconds" | |
ExpiresByType application/xml "access plus 0 seconds" | |
ExpiresByType text/calendar "access plus 0 seconds" | |
ExpiresByType text/xml "access plus 0 seconds" | |
# Favicon (cannot be renamed!) and cursor images | |
ExpiresByType image/vnd.microsoft.icon "access plus 1 week" | |
ExpiresByType image/x-icon "access plus 1 week" | |
# HTML | |
ExpiresByType text/html "access plus 0 seconds" | |
# JavaScript | |
ExpiresByType application/javascript "access plus 1 year" | |
ExpiresByType application/x-javascript "access plus 1 year" | |
ExpiresByType text/javascript "access plus 1 year" | |
# Manifest files | |
ExpiresByType application/manifest+json "access plus 1 week" | |
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds" | |
ExpiresByType text/cache-manifest "access plus 0 seconds" | |
# Markdown | |
ExpiresByType text/markdown "access plus 0 seconds" | |
# Media files | |
ExpiresByType audio/ogg "access plus 1 month" | |
ExpiresByType image/bmp "access plus 1 month" | |
ExpiresByType image/gif "access plus 1 month" | |
ExpiresByType image/jpeg "access plus 1 month" | |
ExpiresByType image/png "access plus 1 month" | |
ExpiresByType image/svg+xml "access plus 1 month" | |
ExpiresByType image/webp "access plus 1 month" | |
ExpiresByType video/mp4 "access plus 1 month" | |
ExpiresByType video/ogg "access plus 1 month" | |
ExpiresByType video/webm "access plus 1 month" | |
# WebAssembly | |
ExpiresByType application/wasm "access plus 1 year" | |
# Web fonts | |
# Collection | |
ExpiresByType font/collection "access plus 1 month" | |
# Embedded OpenType (EOT) | |
ExpiresByType application/vnd.ms-fontobject "access plus 1 month" | |
ExpiresByType font/eot "access plus 1 month" | |
# OpenType | |
ExpiresByType font/opentype "access plus 1 month" | |
ExpiresByType font/otf "access plus 1 month" | |
# TrueType | |
ExpiresByType application/x-font-ttf "access plus 1 month" | |
ExpiresByType font/ttf "access plus 1 month" | |
# Web Open Font Format (WOFF) 1.0 | |
ExpiresByType application/font-woff "access plus 1 month" | |
ExpiresByType application/x-font-woff "access plus 1 month" | |
ExpiresByType font/woff "access plus 1 month" | |
# Web Open Font Format (WOFF) 2.0 | |
ExpiresByType application/font-woff2 "access plus 1 month" | |
ExpiresByType font/woff2 "access plus 1 month" | |
# Other | |
ExpiresByType text/x-cross-domain-policy "access plus 1 week" | |
</IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment