112 lines
3.2 KiB
ApacheConf
112 lines
3.2 KiB
ApacheConf
# GitHub Code Viewer Plugin - Security Rules
|
|
|
|
# Prevent directory browsing
|
|
Options -Indexes
|
|
|
|
# Deny access to all files by default
|
|
<FilesMatch ".*">
|
|
Order Deny,Allow
|
|
Deny from all
|
|
</FilesMatch>
|
|
|
|
# Allow access to specific file types only
|
|
<FilesMatch "\.(css|js|png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot)$">
|
|
Order Allow,Deny
|
|
Allow from all
|
|
</FilesMatch>
|
|
|
|
# Specifically allow access to the main plugin file
|
|
<Files "maple-code-blocks.php">
|
|
Order Allow,Deny
|
|
Allow from all
|
|
</Files>
|
|
|
|
# Protect sensitive files
|
|
<FilesMatch "(^\.|wp-config\.php|\.htaccess|\.htpasswd|error_log|readme\.html|license\.txt|install\.php|php\.ini|php5\.ini)">
|
|
Order Allow,Deny
|
|
Deny from all
|
|
</FilesMatch>
|
|
|
|
# Disable PHP execution in subdirectories (except the root plugin file)
|
|
<FilesMatch "\.php$">
|
|
<If "%{REQUEST_URI} !~ m#^.*/maple-code-blocks/maple-code-blocks\.php$#">
|
|
Order Deny,Allow
|
|
Deny from all
|
|
</If>
|
|
</FilesMatch>
|
|
|
|
# Prevent script injection
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteBase /
|
|
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
|
|
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
|
|
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
|
|
RewriteRule ^(.*)$ - [F,L]
|
|
</IfModule>
|
|
|
|
# Disable XML-RPC if not needed
|
|
<Files xmlrpc.php>
|
|
Order Deny,Allow
|
|
Deny from all
|
|
</Files>
|
|
|
|
# Add security headers
|
|
<IfModule mod_headers.c>
|
|
Header set X-Content-Type-Options "nosniff"
|
|
Header set X-Frame-Options "SAMEORIGIN"
|
|
Header set X-XSS-Protection "1; mode=block"
|
|
Header set Referrer-Policy "strict-origin-when-cross-origin"
|
|
</IfModule>
|
|
|
|
# Hotlinking protection disabled - not needed for WordPress plugins
|
|
# WordPress plugins need their assets accessible to the host site
|
|
# <IfModule mod_rewrite.c>
|
|
# RewriteEngine on
|
|
# RewriteCond %{HTTP_REFERER} !^$
|
|
# RewriteCond %{HTTP_REFERER} !^https?://(www\.)?%{HTTP_HOST} [NC]
|
|
# RewriteRule \.(css|js|png|jpg|jpeg|gif|svg)$ - [F,NC,L]
|
|
# </IfModule>
|
|
|
|
# Compress text files
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE text/plain
|
|
AddOutputFilterByType DEFLATE text/html
|
|
AddOutputFilterByType DEFLATE text/css
|
|
AddOutputFilterByType DEFLATE application/javascript
|
|
AddOutputFilterByType DEFLATE application/json
|
|
</IfModule>
|
|
|
|
# Set proper MIME types
|
|
<IfModule mod_mime.c>
|
|
AddType text/css .css
|
|
AddType application/javascript .js
|
|
AddType application/json .json
|
|
</IfModule>
|
|
|
|
# Cache control for static assets
|
|
<IfModule mod_expires.c>
|
|
ExpiresActive On
|
|
ExpiresByType text/css "access plus 1 month"
|
|
ExpiresByType application/javascript "access plus 1 month"
|
|
ExpiresByType image/png "access plus 1 month"
|
|
ExpiresByType image/jpg "access plus 1 month"
|
|
ExpiresByType image/jpeg "access plus 1 month"
|
|
ExpiresByType image/gif "access plus 1 month"
|
|
ExpiresByType image/svg+xml "access plus 1 month"
|
|
</IfModule>
|
|
|
|
# Disable server signature
|
|
ServerSignature Off
|
|
|
|
# Prevent access to hidden files
|
|
<FilesMatch "^\.">
|
|
Order Allow,Deny
|
|
Deny from all
|
|
</FilesMatch>
|
|
|
|
# Block access to backup and source files
|
|
<FilesMatch "(\.(bak|backup|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
|
|
Order Allow,Deny
|
|
Deny from all
|
|
</FilesMatch>
|