Htaccess File


# Don't show directory listings for URLs which map to a directory.
Options -Indexes -MultiViews

# Follow symbolic links in this directory.
Options +FollowSymLinks

AddDefaultCharset UTF-8

<IfModule mod_php5.c>
    php_flag register_globals Off
    php_flag magic_quotes_gpc Off
    php_flag magic_quotes_runtime Off
    php_flag magic_quotes_sybase Off
    php_value session.auto_start 0
    php_value output_buffering 0
    php_value session.use_trans_sid 0
    php_value memory_limit 128M
    php_value max_execution_time 18000
    php_flag suhosin.session.cryptua off
    php_flag zend.ze1_compatibility_mode Off
    php_value short_open_tag On
    php_value mbstring.func_overload  0
    php_value default_charset         UTF-8

<IfModule mod_security.c>
# disable POST processing to not break multiple image upload
    SecFilterEngine Off
    SecFilterScanPOST Off

<IfModule mod_ssl.c>
## make HTTPS env vars available for CGI mode
    SSLOptions StdEnvVars

<IfModule mod_expires.c>
# Add default Expires header
    ExpiresDefault "access plus 1 year"

<IfModule mod_headers.c>
<FilesMatch ".(ico|pdf|flv)$">
  Header set Cache-Control "max-age=29030400, public"

<FilesMatch ".(jpg|jpeg|png|gif|swf)$">
  Header set Cache-Control "max-age=604800, public"

<FilesMatch ".(xml|txt|css|js)$">
  Header set Cache-Control "max-age=172800, proxy-revalidate"

<FilesMatch ".(html|htm|php)$">
  Header set Cache-Control "max-age=60, private, proxy-revalidate"

<IfModule mod_rewrite.c>
### Query string exploits
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} ../    [NC,OR]
    RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag=     [NC,OR]
    RewriteCond %{QUERY_STRING} ftp:     [NC,OR]
    RewriteCond %{QUERY_STRING} http:    [NC,OR]
    RewriteCond %{QUERY_STRING} https:   [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]

    RewriteRule ^(.*)$ - [F,L]
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteCond %{REQUEST_URI} !^/(static|js)/
    RewriteRule ^(core|application|test|var) - [F,L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-l
    RewriteRule .* index.php [L]
Exit mobile version