baptisten-hohenacker_manual/.htaccess

<IfModule mod_rewrite.c>

RewriteEngine On


## Begin RewriteBase
# If you are getting 500 or 404 errors on subpages, you may have to uncomment the RewriteBase entry
# You should change the '/' to your appropriate subfolder. For example if you have
# your Grav install at the root of your site '/' should work, else it might be something
# along the lines of: RewriteBase /<your_sub_folder>
##

# RewriteBase /

## End - RewriteBase

## Begin - X-Forwarded-Proto
# In some hosted or load balanced environments, SSL negotiation happens upstream.
# In order for Grav to recognize the connection as secure, you need to uncomment
# the following lines.
#
# RewriteCond %{HTTP:X-Forwarded-Proto} https
# RewriteRule .* - [E=HTTPS:on]
#
## End - X-Forwarded-Proto

## Begin - Exploits
# If you experience problems on your site block out the operations listed below
# This attempts to block the most common type of exploit `attempts` to Grav
#
# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]
#
## End - Exploits

## Begin - Index
# If the requested path and file is not /index.php and the request
# has not already been internally rewritten to the index.php script
RewriteCond %{REQUEST_URI} !^/index\.php
# and the requested path and file doesn't directly match a physical file
RewriteCond %{REQUEST_FILENAME} !-f
# and the requested path and file doesn't directly match a physical folder
RewriteCond %{REQUEST_FILENAME} !-d
# internally rewrite the request to the index.php script
RewriteRule .* index.php [L]
## End - Index

## Begin - Security
# Block all direct access for these folders
RewriteRule ^(.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|md|yaml|php|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files:
RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot
RewriteRule (^|/)\.(?!well-known) - [F]
# Block access to specific files in the root folder
RewriteRule ^(LICENSE.txt|composer.lock|composer.json|\.htaccess)$ error [F]
## End - Security

</IfModule>

# Begin - Prevent Browsing and Set Default Resources
Options -Indexes
DirectoryIndex index.php index.html index.htm
# End - Prevent Browsing and Set Default Resources

# Deflate Compression by FileType
<IfModule mod_deflate.c>
 AddOutputFilterByType DEFLATE text/plain
 AddOutputFilterByType DEFLATE text/html
 AddOutputFilterByType DEFLATE text/xml
 AddOutputFilterByType DEFLATE text/css
 AddOutputFilterByType DEFLATE text/javascript
 AddOutputFilterByType DEFLATE application/xml
 AddOutputFilterByType DEFLATE application/xhtml+xml
 AddOutputFilterByType DEFLATE application/rss+xml
 AddOutputFilterByType DEFLATE application/atom_xml
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/x-javascript
 AddOutputFilterByType DEFLATE application/x-shockwave-flash
</IfModule>

#add CSP (report only)
<IfModule mod_headers.c>
#Header set Content-Security-Policy-Report-Only  "default-src 'none'; form-action 'none'; frame-ancestors 'none'; report-uri https://csrichter.report-uri.com/r/d/csp/wizard"
Header set Content-Security-Policy "form-action 'self'; img-src 'self' data: www.gravatar.com https://baptisten-hohenacker.de/piwikCR/piwik.php; frame-src 'self' www.openstreetmap.org; style-src 'self' 'unsafe-inline'; connect-src 'self' getgrav.org; media-src 'self'; font-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://baptisten-hohenacker.de 'report-sample';upgrade-insecure-requests; report-uri https://csrichter.report-uri.com/r/d/csp/enforce" env=HTTPS
#TODO: move img-src data: and unsave-eval to separate file in /piwikCR

#set HSTS, but only for TLS connections
Header set Strict-Transport-Security "max-age=31536000;includeSubDomains;preload" env=HTTPS

Header set X-XSS-Protection "1; report=https://csrichter.report-uri.com/r/d/xss/enforce"
Header set Referrer-Policy "strict-origin-when-cross-origin"

Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"


#remove php version from page
Header unset X-Powered-By

#expect CT report only
Header set Expect-CT "max-age=0, report-uri=https://csrichter.report-uri.com/r/d/ct/reportOnly"

#report inline scripts:
#Header set Content-Security-Policy-Report-Only "script-src 'self' 'sha256-oT1XvXepFjnZ/GYfPj+mnojCbxk7HoJ3pESjDyIpZ9s=' 'sha256-XFVkCWLhq36EC1Da051LuCzgGdb5AVEAj4YUdlRIv30=' 'sha256-gZhx9bu8bdV9NYK1FSoX13NGcQZyI8h5S6JOPFF4a/E=' 'sha256-G6LOCi9K+Dr+i2r8MqzD9JNTf08tIKHpI27a1GQJNd8=' ; report-uri https://csrichter.report-uri.com/r/d/csp/reportOnly"
#problem: dynamic on-click handler on predigtaufnahmen page

#cache static file for 1 month
<filesMatch "\.(css|jpe?g|png|gif|js|ico|mp3)$">
Header set Cache-Control "max-age=2628000, public"
</filesMatch>
Header set Pragma "cache"

#<filesMatch "\.(html)$">
#Header set Cache-Control "must-revalidate, public"
#Header set Cache-Control "max-age=86400, public"

#</filesMatch>
</IfModule>