-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.htaccess
More file actions
74 lines (61 loc) · 2.69 KB
/
Copy path.htaccess
File metadata and controls
74 lines (61 loc) · 2.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
## Disable directory listings ##
Options -Indexes
DirectoryIndex index.html /not-allowed.html
##
##-------Enforce HTTPS connection of a folder-------##
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
##
## ROUTES ##
RewriteRule ^blog$ /blog.html [L]
RewriteRule ^contact$ /contact.html [L]
RewriteRule ^downloads$ /downloads.html [L]
RewriteRule ^privacypolicy$ /privacypolicy.html [L]
RewriteRule ^security$ /security.html [L]
RewriteRule ^terms-of-service$ /terms-of-service.html [L]
##
## COMPRESSION ##
AddOutputFilterByType DEFLATE image/jpeg
AddOutputFilterByType DEFLATE image/png
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
## HTST ##
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
##
## Content Security Policies ##
Header always set Content-Security-Policy "default-src 'none'; script-src 'none'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'"
Header always set X-Content-Security-Policy "default-src 'none'; script-src 'none'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'"
Header always set X-WebKit-CSP "default-src 'none'; script-src 'none'; object-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self'; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'"
##
## ANTI XSS ##
Header always set X-XSS-Protection "1; mode=block"
##
## ANTI SNIFFING ##
Header always set X-Content-Type-Options "nosniff"
##
## ANTI FRAME CLOAKING ##
Header always set X-Frame-Options "deny;"
##
## ACCESS CONTROL ##
Header always set Access-Control-Allow-Origin "null"
##
## CHARSET ##
Header always set Accept-Charset "utf-8"
Header always set Accept-Language "utf-8"
##
## REFERRER ##
Header always set Referrer-Policy "no-referrer"
##
## DISABLE CACHING ##
Header always set Cache-Control "no-cache, no-store, must-revalidate"
Header always set Pragma "no-cache"
Header always set Expires 0
##