From a083e02d02500229c94c30686e21331e7d4b9dd5 Mon Sep 17 00:00:00 2001
From: Josh <josh.t.richards@gmail.com>
Date: Wed, 11 Mar 2026 12:29:57 -0400
Subject: [PATCH 1/3] refactor(.htaccess): re-order deny rules

Mostly for clarity, but technically a micro-optimization too.

Signed-off-by: Josh <josh.t.richards@gmail.com>
---
 .htaccess | 41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/.htaccess b/.htaccess
index db4f32a1fbb4a..ec75dfc9ad272 100644
--- a/.htaccess
+++ b/.htaccess
@@ -113,6 +113,13 @@
     RewriteCond %{HTTP_USER_AGENT} DavClnt
     RewriteRule ^$ /remote.php/webdav/ [L,R=302]
 
+##
+## Rule: Prevent access to various non-public files
+##
+
+    RewriteRule ^(?:build/.*|tests/.*|config/.*|lib/.*|3rdparty/.*|templates/.*)$ - [R=404,L]
+    RewriteRule ^(?:autotest.*|occ.*|issue.*|indie.*|db_.*|console.*)$ - [R=404,L]
+
 ##
 ## Rule: Map the RFC 8615 / RFC 6764 compliant well-known URI for CardDAV to our Remote DAV endpoint
 ##
@@ -126,33 +133,36 @@
     RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
 
 ##
-## Rule: Map /remote* --> /remote.php* including the query string
+## Rule: Maps most RFC 8615 compliant well-known URIs to our main frontend controller (/index.php) by default
 ##
 ## Context:
+##    - Intentionally excludes URIs used for HTTPS certificate verifications
+##        - RFC 8555 / ACME HTTP Challenges (acme-challenge) 
+##        - File-based Validations (pki-validation)
 ##    - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
-##    - XXX: Is this even used anymore? Seems a relic from <NC12
+##    - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
 ##
 
-    RewriteRule ^remote/(.*) remote.php [QSA,L]
+    RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
 
 ##
-## Rule: Prevent access to non-public files
+## Rule: Prevent access to hidden files except `.well-known`
+##
+## Context:
+##    - XXX It may make sense to merge some of these with the others (i.e. the ones that don't need to be last)
 ##
 
-    RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
+    RewriteRule ^(?:\.(?!well-known)).* - [R=404,L]
 
 ##
-## Rule: Maps most RFC 8615 compliant well-known URIs to our main frontend controller (/index.php) by default
+## Rule: Map /remote* --> /remote.php* including the query string
 ##
 ## Context:
-##    - Intentionally excludes URIs used for HTTPS certificate verifications
-##        - RFC 8555 / ACME HTTP Challenges (acme-challenge) 
-##        - File-based Validations (pki-validation)
 ##    - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
-##    - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
+##    - XXX: Is this even used anymore? Seems a relic from <NC12
 ##
 
-    RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
+    RewriteRule ^remote/(.*) remote.php [QSA,L]
 
 ##
 ## Rule: Map the ocm-provider handling to our main frontend controller (/index.php)
@@ -164,15 +174,6 @@
 
     RewriteRule ^ocm-provider/?$ index.php [QSA,L]
 
-##
-## Rule: Prevent access to more non-public files
-##
-## Context:
-##    - XXX It may make sense to merge some of these with the others (i.e. the ones that don't need to be last)
-##
-
-    RewriteRule ^(?:\.(?!well-known)|autotest|occ|issue|indie|db_|console).* - [R=404,L]
-
 </IfModule>
 
 # Clients like xDavv5 on Android, or Cyberduck, use chunked requests.

From 7b127739915784ecf689018073e713a4314c8b95 Mon Sep 17 00:00:00 2001
From: Josh <josh.t.richards@gmail.com>
Date: Wed, 11 Mar 2026 13:22:57 -0400
Subject: [PATCH 2/3] refactor(.htaccess): further refine ordering to be more
 logical

Mostly to ease maintenance, but also a micro-optimization on the deny path

Signed-off-by: Josh <josh.t.richards@gmail.com>
---
 .htaccess | 40 ++++++++++++++++++++--------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/.htaccess b/.htaccess
index ec75dfc9ad272..f999fc895a41a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -102,6 +102,22 @@
 
     RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
 
+##
+## Rule: Prevent access to various non-public files
+##
+
+    RewriteRule ^(?:build/.*|tests/.*|config/.*|lib/.*|3rdparty/.*|templates/.*)$ - [R=404,L]
+    RewriteRule ^(?:autotest.*|occ.*|issue.*|indie.*|db_.*|console.*)$ - [R=404,L]
+
+##
+## Rule: Prevent access to hidden files except `.well-known`
+##
+## Context:
+##    - XXX It may make sense to merge some of these with the others (i.e. the ones that don't need to be last)
+##
+
+    RewriteRule ^(?:\.(?!well-known)).* - [R=404,L]
+
 ##
 ## Rule: Workaround for WebDAV with MS DavClnt
 ##
@@ -113,13 +129,6 @@
     RewriteCond %{HTTP_USER_AGENT} DavClnt
     RewriteRule ^$ /remote.php/webdav/ [L,R=302]
 
-##
-## Rule: Prevent access to various non-public files
-##
-
-    RewriteRule ^(?:build/.*|tests/.*|config/.*|lib/.*|3rdparty/.*|templates/.*)$ - [R=404,L]
-    RewriteRule ^(?:autotest.*|occ.*|issue.*|indie.*|db_.*|console.*)$ - [R=404,L]
-
 ##
 ## Rule: Map the RFC 8615 / RFC 6764 compliant well-known URI for CardDAV to our Remote DAV endpoint
 ##
@@ -146,13 +155,14 @@
     RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
 
 ##
-## Rule: Prevent access to hidden files except `.well-known`
+## Rule: Map the ocm-provider handling to our main frontend controller (/index.php)
 ##
 ## Context:
-##    - XXX It may make sense to merge some of these with the others (i.e. the ones that don't need to be last)
+##    - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
+##    - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
 ##
 
-    RewriteRule ^(?:\.(?!well-known)).* - [R=404,L]
+    RewriteRule ^ocm-provider/?$ index.php [QSA,L]
 
 ##
 ## Rule: Map /remote* --> /remote.php* including the query string
@@ -164,16 +174,6 @@
 
     RewriteRule ^remote/(.*) remote.php [QSA,L]
 
-##
-## Rule: Map the ocm-provider handling to our main frontend controller (/index.php)
-##
-## Context:
-##    - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
-##    - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
-##
-
-    RewriteRule ^ocm-provider/?$ index.php [QSA,L]
-
 </IfModule>
 
 # Clients like xDavv5 on Android, or Cyberduck, use chunked requests.

From cfa3b5c06cc1b4ee047280f5ececcf3554ea9acd Mon Sep 17 00:00:00 2001
From: Josh <josh.t.richards@gmail.com>
Date: Wed, 11 Mar 2026 13:27:52 -0400
Subject: [PATCH 3/3] refactor.htaccess): normalize to relative path for
 consistency

Signed-off-by: Josh <josh.t.richards@gmail.com>
---
 .htaccess | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.htaccess b/.htaccess
index f999fc895a41a..ee48f101cede5 100644
--- a/.htaccess
+++ b/.htaccess
@@ -149,17 +149,15 @@
 ##        - RFC 8555 / ACME HTTP Challenges (acme-challenge) 
 ##        - File-based Validations (pki-validation)
 ##    - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
-##    - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
 ##
 
-    RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) /index.php [QSA,L]
+    RewriteRule ^\.well-known/(?!acme-challenge|pki-validation) index.php [QSA,L]
 
 ##
 ## Rule: Map the ocm-provider handling to our main frontend controller (/index.php)
 ##
 ## Context:
 ##    - XXX: `QSA` seems unnecessary (no-op) here (query string is passed by default when the replacement URI doesn't contain a query string)
-##    - XXX: Sometimes we are using `/index.php` and other times `index.php` as our replacement URI; this may be incorrect
 ##
 
     RewriteRule ^ocm-provider/?$ index.php [QSA,L]