From 1ffedf1ae01ebe4438f87646b1ba2ae277995c18 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lars=20Schr=C3=B6ter?= Date: Mon, 20 Aug 2018 18:21:42 -0300 Subject: [PATCH] Block access to "hidden" directories and files whose names begin with a period --- .htaccess | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/.htaccess b/.htaccess index 4733ffa4a86..b65cf67ef47 100644 --- a/.htaccess +++ b/.htaccess @@ -3,8 +3,13 @@ # # Protect files and directories from prying eyes. - - Order allow,deny + + + Require all denied + + + Order allow,deny + # Don't show directory listings for URLs which map to a directory. @@ -80,6 +85,21 @@ DirectoryIndex index.php RewriteEngine on + # Block access to "hidden" directories whose names begin with a period. This + # includes directories used by version control systems such as Subversion or + # Git to store control files. Files whose names begin with a period, as well + # as the control files used by CVS, are protected by the FilesMatch directive + # above. + # + # NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is + # not possible to block access to entire directories from .htaccess, because + # is not allowed here. + # + # If you do not have mod_rewrite installed, you should remove these + # directories from your webroot or otherwise protect them from being + # downloaded. + RewriteRule "/\.|^\.(?!well-known/)" - [F] + # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option: