peter/ukaiautomation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0136ff95e2357dec76b1613cba52765be87554f2
ukaiautomation/.htaccess-enhanced

206 lines
7.9 KiB
Plaintext
Raw Normal View History

Add comprehensive security enhancements and analysis
2025-06-07 11:08:00 +01:00
# ===================================================================
# UK Data Services - Enhanced Security .htaccess
# ===================================================================
# Enable RewriteEngine
RewriteEngine On
# ===================================================================
# 🔒 SECURITY HEADERS
# ===================================================================
<IfModule mod_headers.c>
# Prevent MIME type sniffing
Header always set X-Content-Type-Options "nosniff"
# Prevent clickjacking
Header always set X-Frame-Options "DENY"
# Enable XSS filtering
Header always set X-XSS-Protection "1; mode=block"
# HSTS (HTTP Strict Transport Security) - Forces HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Permissions Policy (formerly Feature Policy)
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
# Content Security Policy (Enhanced)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com https://www.google-analytics.com https://www.clarity.ms; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com https://analytics.google.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
# Remove server signature
Header unset Server
Header unset X-Powered-By
# Cache control for sensitive files
<FilesMatch "\.(php|ini|log|sh|sql)$">
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "0"
</FilesMatch>
</IfModule>
# ===================================================================
# 🚫 BLOCK ACCESS TO SENSITIVE FILES
# ===================================================================
# Block access to sensitive files and directories
<FilesMatch "^(\.htaccess|\.htpasswd|\.env|\.git|\.svn|composer\.json|composer\.lock|package\.json|package-lock\.json)">
Require all denied
</FilesMatch>
# Block access to specific file extensions
<FilesMatch "\.(ini|log|conf|sql|sh|bak|backup|old|tmp|temp|swp|swo|save)$">
Require all denied
</FilesMatch>
# Block access to common backup and temporary files
<FilesMatch "(~|\.bak|\.backup|\.old|\.orig|\.save|\.swp|\.tmp|#)$">
Require all denied
</FilesMatch>
# Block access to logs directory
<Directory "logs">
Require all denied
</Directory>
# ===================================================================
# 🔐 DISABLE DANGEROUS PHP FUNCTIONS
# ===================================================================
<IfModule mod_php8.c>
php_admin_value disable_functions "exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source,highlight_file"
</IfModule>
# ===================================================================
# 🚫 DIRECTORY SECURITY
# ===================================================================
# Disable directory browsing
Options -Indexes
# Disable server signature
ServerTokens Prod
ServerSignature Off
# Prevent access to .git directory
<DirectoryMatch "^/.*/\.git/">
Require all denied
</DirectoryMatch>
# ===================================================================
# 📁 FILE UPLOAD RESTRICTIONS
# ===================================================================
# Block execution of uploaded files in uploads directory (if created)
<Directory "uploads">
<Files "*">
SetHandler default-handler
RemoveHandler .php .phtml .php3 .php4 .php5 .php6 .phps .cgi .pl .py .js .jsp .sh .bat
RemoveType .php .phtml .php3 .php4 .php5 .php6 .phps .cgi .pl .py .js .jsp .sh .bat
php_flag engine off
</Files>
</Directory>
# ===================================================================
# 🔒 FORCE HTTPS (Uncomment when SSL is enabled)
# ===================================================================
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ===================================================================
# 🛡️ ADDITIONAL SECURITY MEASURES
# ===================================================================
# Limit request size (10MB)
LimitRequestBody 10485760
# Timeout settings
Timeout 60
KeepAliveTimeout 15
# Prevent hotlinking (uncomment if needed)
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{HTTP_REFERER} !^https://(www\.)?ukdataservices\.co\.uk/ [NC]
# RewriteRule \.(jpg|jpeg|png|gif|svg|css|js)$ - [F,L]
# ===================================================================
# 📧 EMAIL SECURITY
# ===================================================================
# Prevent email injection
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\[|\]|\(|\)|<|>|%0A|%0D|%22|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:|vbscript:|onload|onerror|onclick) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
# ===================================================================
# 🔍 BLOCK COMMON ATTACK PATTERNS
# ===================================================================
# Block SQL injection attempts
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (union|select|insert|delete|update|drop|create|alter|exec|execute) [NC]
RewriteRule ^(.*)$ - [F,L]
# Block XSS attempts
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^e]*e)+mbed.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^o]*o)+bject.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
# ===================================================================
# 🤖 BLOCK BAD BOTS AND SCRAPERS
# ===================================================================
# Block known bad bots (add more as needed)
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} (bot|crawler|spider|scraper|harvest|extract|grab|scan|copy|wget|curl) [NC]
RewriteCond %{HTTP_USER_AGENT} !(googlebot|bingbot|facebookexternalhit|linkedinbot|twitterbot|whatsapp|telegrambot) [NC]
RewriteCond %{HTTP_USER_AGENT} !^$ [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
# ===================================================================
# 📊 PERFORMANCE & CACHING
# ===================================================================
# Enable compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>
# Set cache headers for static files
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
</IfModule>
# ===================================================================
# END OF ENHANCED SECURITY CONFIGURATION
# ===================================================================
Reference in New Issue Copy Permalink