forked from alvsgithub/mp
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreadme_images.txt
45 lines (37 loc) · 1.26 KB
/
readme_images.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Image uploads use this htaccess
# Disable any cgi-scripts and prevent directory browsing
Options -ExecCGI -Indexes
# Whitelist the following file extensions
# This includes the blocking of double extensions using [^.]
Order Allow,Deny
<FilesMatch "^[^.]+\.(?i:jpe?g|png|gif)$">
Allow from all
</FilesMatch>
# Secure MIME-types
<FilesMatch "\.[Jj][Pp][Ee]?[Gg]$">
ForceType image/jpeg
</FilesMatch>
<FilesMatch "\.[Pp][Nn][Gg]$">
ForceType image/png
</FilesMatch>
<FilesMatch "\.[Gg][Ii][Ff]$">
ForceType image/gif
</FilesMatch>
# Make sure mod_rewrite is running
RewriteEngine On
# Disable scripts
RewriteRule !^(?:[^.]+\.(?:jpe?g|png|gif)|php\.ini)$ - [H=cgi-script,NC,L]
# Only allow the following direct access to the uploads directory
RewriteCond %{REMOTE_ADDR} !^(?:xxx\.xxx\.xxx\.xxx)
RewriteCond %{HTTP_HOST} !^localhost$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://(?:[^.]+\.)?example\.com/ [NC]
RewriteRule .? https://meetingplanner.io [L]
# Disable hotlinking of images
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(?:jpe?g|png|gif)$ [NC]
RewriteCond %{HTTP_REFERER} !^(?:https?://(?:[^.]+\.)?example\.com/|$) [NC]
RewriteRule \.(?:jpe?g|png|gif)$ - [NC,F]
# Only allow GET and POST request methods
<LimitExcept GET POST>
Deny from all
</LimitExcept>