A collection of useful .htaccess codes.
To work all of these, add the following line at the beginning to your .htaccess file.
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
Deny All Access
Order deny,allow
Deny from all
Allow from xxx.xxx.xxx.xxx
Where xxx.xxx.xxx.xxx is your IP Address. If you replace the last three digits with 0/12 for example, this will specify a range of IPs within the same network, thus saving you the trouble to list all allowed IPs separately.
Order deny,allow
Allow from all
Deny from xxx.xxx.xxx.xxx
Deny from xxx.xxx.xxx.xxy
Hidden files and directories (those whose names start with a dot `.`) should most, if not all, of the time be secured. For example: `.htaccess`, `.htpasswd`, `.git`, `.hg`…
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
Alternatively, you can just raise a `Not Found` error, giving the attacker dude no clue:
RedirectMatch 404 /\..*$
These files may be left by some text/html editors (like Vi/Vim) and pose a great security danger, when anyone can access them.
<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
## Apache 2.2
Order allow,deny
Deny from all
Satisfy All
## Apache 2.4
# Require all denied
</FilesMatch>
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ - [NC,F,L]
If you want to display a “blocked” banner in place of the hotlinked image
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.+\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|bmp) http://example.com/blocked.png [R,L]
Disable Image Hotlinking for Specific Domains
RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?badsite\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?badsite2\.com [NC,OR]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
This denies access for all users who are coming from (referred by) a specific domain.
RewriteCond %{HTTP_REFERER} somedomain\.com [NC,OR]
RewriteCond %{HTTP_REFERER} anotherdomain\.com
RewriteRule .* - [F]
Protect Against ClickJacking. Supported web browsers will prevent an attacker/hacker from putting your website’s content into an iframe on another website.
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
</IfModule>
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Block accessing .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
Block multiple file types
<FilesMatch ".(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
order allow,deny
deny from all
</FilesMatch>
To change the server signature which is displayed as part of the default Apache error documents, use the following code:
ServerSignature EMail
SetEnv SERVER_ADMIN nospace@pleasenospace.com
To remove the server signature completely, use the following code:
ServerSignature Off
<FilesMatch "^php5?\.(ini|cgi)$">
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS
</FilesMatch>
This page wouldn’t have such a long without