Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

What are the best approach with osc and htaccess


Gyakutsuki

Recommended Posts

When you look some website test and propose some correction.

Whith your experience what is the best approach with osc to create a best htaccess.

I tried to make a summary;  Opinon and correction will be welcome.

speed optimization
security optimization
cache
..

 


Options +FollowSymlinks

<IfModule mod_rewrite.c>
  RewriteEngine On

#blocking Libwww-perl access
    RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
    RewriteRule .* – [F,L]


  FileETag INode MTime Size

## URL Canonicalization
    RewriteCond %{HTTP_HOST} !^www.mysite.org$ [NC]
    RewriteRule ^(.*)$ https://www.mysite.org/$1 [L,R=301]

  # RewriteRule \.(gif|jpg|png|js|css)$ - [F]


### FILTRE CONTRE XSS, base64_encode SALETE , DEFINIR VARIABLE PHP GLOBALS VIA URL, MODIFIER VARIABLE _REQUEST VIA URL
   RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
   RewriteCond %{QUERY_STRING} ^(.*)(%3C|<)/?script(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)document\.location\.href(.*)$ [OR]
   RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [OR]
   RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [OR]
   RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$
   RewriteRule (.*) - [F]
</IfModule>

# Compress all output labeled with one of the following MIME-types
# (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
#  and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
#  as `AddOutputFilterByType` is still in the core directives).
<IfModule mod_deflate.c>
    <IfModule mod_filter.c>
        AddOutputFilterByType DEFLATE application/atom+xml \
                                      application/javascript \
                                      application/json \
                                      application/rss+xml \
                                      application/vnd.ms-fontobject \
                                      application/x-font-ttf \
                                      application/x-web-app-manifest+json \
                                      application/x-javascript \
                                      application/xhtml+xml \
                                      application/xml \
                                      font/opentype \
                                      image/svg+xml \
                                      image/x-icon \
                                      text/css \
                                      text/html \
                                      text/plain \
                                      text/x-component \
                                      text/xml
        </IfModule>
</IfModule>

<IfModule mod_headers.c>
# Unset Server Signature header
    ServerSignature Off
# Unset Server Technology header
    Header unset X-Powered-By
    Header set Content-Security-Policy "script-src 'self' https://www.google.com"
    Header always set X-FRAME-OPTIONS "DENY"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    Header unset ETag
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

  <FilesMatch "\.(js|css|xml|gz|html)$">
    Header append Vary: Accept-Encoding
  </FilesMatch>

  <filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">
  Header set Cache-Control "max-age=25200, public"
  </filesMatch>

</IfModule>

<IfModule mod_expires.c>
      ExpiresActive on
      ExpiresDefault                                      "access plus 2 days"

    # CSS
    #  ExpiresByType text/css                              "access plus 2592000 seconds"

    # Data interchange
      ExpiresByType application/json                      "access plus 0 seconds"
      ExpiresByType application/xml                       "access plus 0 seconds"
      ExpiresByType text/xml                              "access plus 0 seconds"

    # Favicon (cannot be renamed!) and cursor images
      ExpiresByType image/x-icon                          "access plus 2592000 seconds"

    # HTML components (HTCs)
      ExpiresByType text/x-component                      "access plus 2592000 seconds"

    # HTML
      ExpiresByType text/html                             "access plus 0 seconds"

    # JavaScript
      ExpiresByType application/javascript                "access plus 1 month"
      ExpiresByType text/x-javascript                     "access plus 1 month"

    # Manifest files
      ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
      ExpiresByType text/cache-manifest                   "access plus 0 seconds"

    # Media
      ExpiresByType audio/ogg                             "access plus 1 month"
      ExpiresByType image/gif                             "access plus 1 month"
      ExpiresByType image/jpeg                            "access plus 1 month"
      ExpiresByType image/jpg                             "access plus 1 month"
      ExpiresByType image/png                             "access plus 1 month"
      ExpiresByType video/mp4                             "access plus 1 month"
      ExpiresByType video/ogg                             "access plus 1 month"
      ExpiresByType video/webm                            "access plus 1 month"
      ExpiresByType application/x-shockwave-flash         "access plus 1 month"

    # Web feeds
      ExpiresByType application/atom+xml                  "access plus 2592000 seconds"
      ExpiresByType application/rss+xml                   "access plus 2592000 seconds"

    # Web fonts
      ExpiresByType image/svg+xml                         "access plus 1 month"

  </IfModule>

 


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Link to comment
Share on other sites

  • 2 months later...

Have you actually tested these conditions, especially the XSS stuff and http/non-www combinations? Apparently you want your site to be all SSL, but are you checking anywhere for non-SSL with www? Are there any request methods besides GET and POST? If not, you can get rid of that RewriteCond in the XSS filter section. If there are, I don't think AND (default) and OR act like in programming languages (no precedence)... it just goes through beginning to end, so the request method is ANDed only with the next check. How some of these settings will act, or interact with each other, may depend exactly on your server (Apache) level and local configuration, so you should try testing as many combinations as you can.

Don't blindly copy suggested .htaccess files from websites. You need to understand what each part is supposed to be doing, and you need to actually test it on your own real (production) server.

Link to comment
Share on other sites

)Hi @MrPhil,

Thank you for the explanation.
.Ii don't use often the htaccess, just That I need but in this case, it just to secure the site. It's not perfect, that's why it's interesting to know other approach
I have inserted this element in my production server, no problem (with ssl certificate).
About GET and POST it can be other like FILE

Also when you test your site with an online system (https://www.metaforensics.io/), it tells you for example if it's possible to know the server signature or not and also XSS problem and propose to solve with htaccess recommendation.

After, depends of the apache configuration, the website can work or not.


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Link to comment
Share on other sites

What things you can make use of depends on how your host has configured their servers. For example, some hosts don't permit Options, or restrict what can be done with it. So, you may not be able to use Options -Indexes to suppress listing of directories lacking an index file (images/, etc.). That's easy to get around -- just put an empty index.html file in those directories, or one with a snarky remark like "Move along, nothing to see here." or "You lookin' at me? I said, are you lookin' at ME?". I added it to my DirectoryIndex list (with absolute path) so I don't have to worry about explicitly placing a file in each unprotected directory.

Consider adding "hotlink protection", so other sites can't display your images while you pay bandwidth charges to have them served from your site. I see a commented-out "Fail" rewrite, which is part of it, but you would need to add the whitelist RewriteCond statements. There's something available these days called "leech protection", which restricts access to sensitive areas of your site if someone manages to steal your ID and password. I presume that somewhere you have already implemented password protection for the admin section of your site (either manually by the files supplied with osC, or better, via your hosting control panel).

You don't need so many deflate filters for an osC installation, but you might need some of them for other stuff you have on your site. Consider speeding up things by removing unneeded filters. The same goes for expiration dates.

Consider how you're handling http requests AND/OR non-www domain names coming in (the "canonical" section). You need to handle both (rewrite to https and www), and there are several ways to do this, but make sure you don't end up sending two 301 redirects back to the requestor (one for https and one for www)... that will kill you in SEO. If you want SSL (https) on every page, don't forget to adjust your configure.php files to specify only https in the first place -- it's bad form to send out only http links, and then bounce them back with a 301 to https!

I'm not familiar enough with the malware filters and header stuff to speak about them.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...