Tektriks

Coding starts here

Secure site through HTACCESS

A collection of useful .htaccess codes.
To work all of these, add the following line at the beginning to your .htaccess file.


Options +FollowSymlinks 
RewriteEngine on
RewriteBase /

  • Deny all accessing your site

    
    Deny All Access
    	
    
  • Deny All Access Except Yours

    
    Order deny,allow
    Deny from all
    Allow from xxx.xxx.xxx.xxx	
    	
    

    Where xxx.xxx.xxx.xxx is your IP Address. If you replace the last three digits with 0/12 for example, this will specify a range of IPs within the same network, thus saving you the trouble to list all allowed IPs separately.

  • Allow All Access Except Spammers’

    
    Order deny,allow
    Allow from all
    Deny from xxx.xxx.xxx.xxx
    Deny from xxx.xxx.xxx.xxy	
    	
    
  • Deny Access to Hidden Files and Directories

    Hidden files and directories (those whose names start with a dot `.`) should most, if not all, of the time be secured. For example: `.htaccess`, `.htpasswd`, `.git`, `.hg`…

    
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
    	
    

    Alternatively, you can just raise a `Not Found` error, giving the attacker dude no clue:

    
    RedirectMatch 404 /\..*$
    	
    
  • Deny Access to Backup and Source Files

    These files may be left by some text/html editors (like Vi/Vim) and pose a great security danger, when anyone can access them.

    
    <FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
        ## Apache 2.2
        Order allow,deny
        Deny from all
        Satisfy All
    
        ## Apache 2.4
        # Require all denied
    </FilesMatch>	
    	
    
  • Disable Image Hotlinking

    
    RewriteCond %{HTTP_REFERER} !^$
    
    RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?example.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|bmp)$ - [NC,F,L]	
    	
    

    If you want to display a “blocked” banner in place of the hotlinked image

    
    RewriteCond %{HTTP_REFERER} !^$
    
    RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?example.com [NC]
    RewriteRule \.(jpg|jpeg|png|gif|bmp) http://example.com/blocked.png [R,L]
    	
    

    Disable Image Hotlinking for Specific Domains

    
    RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?badsite\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?badsite2\.com [NC,OR]
    RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]	
    	
    
  • Block Visitors by Referrer

    This denies access for all users who are coming from (referred by) a specific domain.

    
    RewriteCond %{HTTP_REFERER} somedomain\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} anotherdomain\.com
    RewriteRule .* - [F]	
    	
    
  • Prevent Framing the Site

    Protect Against ClickJacking. Supported web browsers will prevent an attacker/hacker from putting your website’s content into an iframe on another website.

    
    <IfModule mod_headers.c>  
      Header always append X-Frame-Options SAMEORIGIN
    </IfModule>
    	
    
  • Prevent some cross-site scripting (XSS) attacks

    
    <IfModule mod_headers.c>  
      Header set X-XSS-Protection "1; mode=block"
    </IfModule>	
    	
    
  • Block access to a particular file

    Block accessing .htaccess file

    
    <Files .htaccess>
    order allow,deny 
    deny from all
    </Files>	
    
    

    Block multiple file types

    
    <FilesMatch ".(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
    order allow,deny 
    deny from all
    </FilesMatch>	
    	
    
  • Changing server signature

    To change the server signature which is displayed as part of the default Apache error documents, use the following code:

    
    ServerSignature EMail
    SetEnv SERVER_ADMIN [email protected] 	
    	
    

    To remove the server signature completely, use the following code:

    
    ServerSignature Off 	
    	
    
  • Prevent access to php.ini

    
    <FilesMatch "^php5?\.(ini|cgi)$">
    Order Deny,Allow
    Deny from All
    Allow from env=REDIRECT_STATUS
    </FilesMatch> 	
    	
    

This page wouldn’t have such a long without

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz