-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.htaccess
38 lines (33 loc) · 2.25 KB
/
.htaccess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<Files ~ "^\.(htaccess|htpasswd)$">
Deny from all
</Files>
DirectoryIndex index.php
<IfModule mod_negotiation.c>
Options -Indexes +FollowSymLinks
</IfModule>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php [NC,L]
<Files "Dockerfile|docker-compose\.yml">
Order Allow,Deny
Deny from all
Allow from localhost
Allow from 127.0.0.1
</Files>
Header always set Cache-Control "no-store, must-revalidate, no-cache, max-age=0"
Header always set X-Frame-Options "DENY"
Header always set X-Xss-Protection "0"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set Permissions-Policy "display-capture=(),accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Cross-Origin-Embedder-Policy "unsafe-none"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Resource-Policy "cross-origin"
#Header always set Access-Control-Allow-Origin "http://localhost:3000, https://portal.azure.com/"
#Header always set Access-Control-Allow-Methods "GET,PUT,POST,DELETE,OPTIONS"
#Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, X-API-KEY, privatekey"
#Header always set Report-To "{"group":"csp-endpoint","max_age":10886400,"endpoints":[{"url":"/csp-report"}]}"
Header always set Content-Security-Policy "upgrade-insecure-requests;default-src 'none';style-src 'self' 'unsafe-inline' 'report-sample';script-src 'self' 'report-sample';img-src 'self';font-src 'self';form-action 'self';frame-ancestors 'none';frame-src 'self';child-src 'self';connect-src 'self';base-uri 'self';object-src 'none';media-src 'self';manifest-src 'self';worker-src 'self'; report-uri https://waf-demo.sunwellsolutions.com/csp-report"