WebFilesDesk/.htaccess at main · CaPusto/WebFilesDesk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# ============================================================
# WebFilesDesk — Apache configuration
# ============================================================

Options -Indexes
ServerSignature Off

# ============================================================
# URL REWRITING — route all requests through index.php
# ============================================================
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Allow direct access to existing files and directories
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # Route everything else to index.php
    RewriteRule ^ index.php [L]
</IfModule>

# ============================================================
# SECURITY — block access to sensitive files and directories
# ============================================================

# Block access to config directory
<IfModule mod_authz_core.c>
    <DirectoryMatch "^(.*/)?config/">
        Require all denied
    </DirectoryMatch>
    <DirectoryMatch "^(.*/)?vendor/">
        Require all denied
    </DirectoryMatch>
</IfModule>

# Block access to sensitive file types
<FilesMatch "\.(ini|log|sh|sql|env|bak|swp|orig)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# Block .htaccess itself from being read
<Files ".htaccess">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
</Files>

# ============================================================
# SECURITY HEADERS
# ============================================================
<IfModule mod_headers.c>
    Header unset X-Powered-By
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# ============================================================
# STATIC FILE CACHING
# ============================================================
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css             "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType image/png            "access plus 30 days"
    ExpiresByType image/jpeg           "access plus 30 days"
    ExpiresByType image/gif            "access plus 30 days"
    ExpiresByType image/svg+xml        "access plus 30 days"
    ExpiresByType image/x-icon         "access plus 30 days"
    ExpiresByType font/woff2           "access plus 30 days"
</IfModule>

# ============================================================
# UPLOAD LIMIT — adjust to match conf.ini max_upload_size
# Uncomment if PHP settings are managed via .htaccess
# ============================================================
# php_value upload_max_filesize 100M
# php_value post_max_size 100M
# php_value memory_limit 256M
# php_value max_execution_time 300

# ============================================================
# CHARSET
# ============================================================
AddDefaultCharset UTF-8