Secure contact form and email configuration

- Add email header injection prevention - Implement referer checking for form submissions - Create .htaccess security rules for handlers - Add secure email configuration file - Include UTF-8 database backup - Restrict access to sensitive files 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-06-08 03:42:09 +00:00
parent 263dc394dd
commit 624613a0d0
4 changed files with 126 additions and 10 deletions
--- a/.htaccess
+++ b/.htaccess
@@ -1,15 +1,31 @@
-# Simplified .htaccess for basic functionality
-# Remove advanced features that might cause issues
+# Security Rules for UK Data Services

-# Basic security (commented out for now)
-# Header always set X-Content-Type-Options nosniff
-# Header always set X-Frame-Options DENY
-
-# Prevent access to sensitive files
-<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
+# Protect sensitive files and configs
+<FilesMatch "^\.(.*)$|\.log$|\.sql$|\.conf$|config\.php$|\.email-config\.php$|\.htaccess|\.htpasswd|\.ini|\.sh|\.inc|\.bak$">
    Require all denied
 </FilesMatch>

+# Protect contact handlers from direct browser access (POST only)
+<Files "contact-handler.php">
+    <LimitExcept POST>
+        Require all denied
+    </LimitExcept>
+</Files>
+
+<Files "quote-handler.php">
+    <LimitExcept POST>
+        Require all denied
+    </LimitExcept>
+</Files>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header always set X-Content-Type-Options "nosniff"
+    Header always set X-Frame-Options "SAMEORIGIN"
+    Header always set X-XSS-Protection "1; mode=block"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+</IfModule>
+
 # Basic compression (if mod_deflate is available)
 <IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
@@ -19,4 +35,16 @@
 </IfModule>

 # Disable directory browsing
-Options -Indexes
+Options -Indexes
+
+# Prevent access to logs and database directories
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteRule ^logs(/.*)?$ - [F,L]
+    RewriteRule ^database(/.*)?$ - [F,L]
+    RewriteRule ^\.git(/.*)?$ - [F,L]
+    RewriteRule ^docker(/.*)?$ - [F,L]
+</IfModule>
+
+# Disable server signature
+ServerSignature Off