phpterminal/.htaccess at main · eggerco/phpterminal · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# PHP Terminal - Security Configuration
# Apache .htaccess file for enhanced security

# Disable server signature
ServerSignature Off

# Hide Apache version
<IfModule mod_headers.c>
    Header unset Server
    Header always unset X-Powered-By
    Header unset X-Powered-By
    Header unset X-CF-Powered-By
    Header unset X-Mod-Pagespeed
    Header unset X-Pingback
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options nosniff

    # Enable XSS filtering
    Header always set X-XSS-Protection "1; mode=block"

    # Prevent clickjacking
    Header always set X-Frame-Options DENY

    # Strict Transport Security (HTTPS only)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # Content Security Policy
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';"

    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Permissions Policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# Disable directory browsing
Options -Indexes

# Follow symbolic links
Options +FollowSymLinks

# Disable server signature
ServerTokens Prod

# Prevent access to sensitive files
<FilesMatch "\.(env|log|sql|bak|backup|old|orig|tmp)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect configuration files
<FilesMatch "^(config|\.env|\.htaccess|\.htpasswd)">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect cache and logs directories
<DirectoryMatch "^(cache|logs|uploads)/">
    Order allow,deny
    Deny from all
</DirectoryMatch>

# Prevent access to PHP files in media directory
<Directory "media/">
    <Files "*.php">
        Order allow,deny
        Deny from all
    </Files>
</Directory>

# Limit file upload size
php_value upload_max_filesize 10M
php_value post_max_size 20M
php_value max_execution_time 30
php_value max_input_time 30
php_value memory_limit 128M

# Disable dangerous PHP functions
php_value disable_functions "exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source"

# Enable error logging
php_value log_errors On
php_value error_log /var/log/phpterminal.log

# Disable display of errors in production
php_value display_errors Off
php_value display_startup_errors Off

# Enable session security
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
php_value session.use_only_cookies 1
php_value session.cookie_samesite Strict

# Prevent access to version control files
<FilesMatch "\.(git|svn|hg)">
    Order allow,deny
    Deny from all
</FilesMatch>

# Rate limiting (if mod_evasive is available)
<IfModule mod_evasive24.c>
    DOSHashTableSize    2048
    DOSPageCount        3
    DOSPageInterval     1
    DOSSiteCount        50
    DOSSiteInterval     1
    DOSBlockingPeriod   600
</IfModule>

# Compression for better performance
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

# Browser caching
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    ExpiresByType font/woff "access plus 1 month"
    ExpiresByType font/woff2 "access plus 1 month"
</IfModule>

# Force HTTPS (uncomment in production)
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Custom error pages
ErrorDocument 404 /phpterminal.php
ErrorDocument 403 /phpterminal.php
ErrorDocument 500 /phpterminal.php