Skip to content
GitLab
Explore
Sign in
Register
Primary navigation
Search or go to…
Project
C
Commit-Webhook
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Gitlab
Commit-Webhook
Commits
9be80c6d
Commit
9be80c6d
authored
1 year ago
by
Stefan Galinski
Browse files
Options
Downloads
Patches
Plain Diff
[BUGFIX] Fix heavy security issues
parent
6d531441
No related branches found
No related tags found
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
.htaccess
+107
-0
107 additions, 0 deletions
.htaccess
with
107 additions
and
0 deletions
.htaccess
0 → 100644
+
107
−
0
View file @
9be80c6d
##############
### BASICS ###
##############
# additional mime types
AddType
font/ttf .ttf
AddType
font/eot .eot
AddType
font/otf .otf
AddType
application/font-woff .woff
AddType
application/font-woff2 .woff2
AddType
image/x-icon .ico
# Activate rewrite engine
RewriteEngine
On
RewriteBase
/
# No redirects or anything else if the .well-known diectory is called. LetsEncrypt uses this directory for certificate renewals and so on.
RewriteRule
^.well-known/.*$ - [END]
################
### SECURITY ###
################
# Prevent autodiscover calls (they can cause heavy load issues)
RewriteRule
^autodiscover/autodiscover.xml$ - [F,L]
# Block access to vcs directories
RedirectMatch
403 /\.(?:git|svn|hg)/
# Access block for files
<
FilesMatch
"(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$"
>
<
IfModule
mod_authz_core.c
>
Require
all
denied
</
IfModule
>
</
FilesMatch
>
# Enfore proper Default Security Headers
<
IfModule
mod_headers.c
>
# Activate HSTS
Header
set
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Reducing MIME type security risks
Header
set
X-Content-Type-Options "nosniff"
# Access-Control-Allow-Origin is used to allow AJAX functionality while using the sgc watcher during development
# ENABLE THIS ONLY FOR DEV REASONS. CAUSES A LOT OF HARM ON PRODUCTION!
# Header always set Access-Control-Allow-Origin "https://localhost:3000"
Header
set
X-Frame-Options "SAMEORIGIN"
Header
set
X-Xss-Protection "1; mode=block"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# We set this value to the wanted value for the future of the web.
# same and strict can't be used as they cause issues with TYPO3 or several web services like Vimeo if used in private mode
Header
set
Referrer-Policy "strict-origin-when-cross-origin"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
# This needs to be changed, if some of the features are needed outside of "self"
Header
set
Feature-Policy "geolocation 'self'; midi 'self'; payment 'self'; camera 'self'; usb 'self'; fullscreen 'self'; magnetometer 'self'; picture-in-picture *; accelerometer 'self'; encrypted-media 'self'; autoplay 'self'; gyroscope 'self'; sync-xhr 'self'; microphone 'self'"
Header
set
Permissions-Policy "geolocation=(self), midi=(self), payment=(self), camera=(self), usb=(self), fullscreen=(self), magnetometer=(self), picture-in-picture=(*), accelerometer=(self), encrypted-media=(self), autoplay=(self), gyroscope=(self), sync-xhr=(self), microphone=(self)"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# The keyword unsafe-inline allows for inline-script sections. THIS DISABLES XSS PROTECTION!
# form-action 'self'; --> caused problems in Chrome on some subdomains. It's better to not set this value at all.
# "default-src 'none' --> can't be used, because this breaks Firefox inside the TYPO3 backend
# "unsafe-eval" -> required in script_src, because of the mask extension (might be removable in TYPO3 12+)
# Header set Content-Security-Policy "default-src 'self'; media-src 'self'; base-uri 'none'; object-src 'none'; worker-src 'self' blob:; frame-ancestors 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.youtube.com https://player.vimeo.com https://cdn.plyr.io https://*.gstatic.com https://*.google.com https://*.googleapis.com; style-src 'self' 'unsafe-inline' https://cdn.plyr.io https://*.googleapis.com; font-src 'self' data: https://*.gstatic.com; img-src 'self' data: blob: https://www.gravatar.com https://*.googleusercontent.com https://*.twimg.com https://*.youtube.com https://i.vimeocdn.com https://*.gstatic.com https://*.googleapis.com; connect-src 'self' https://*.googleapis.com; frame-src 'self' https://*.google.com https://*.xing.com https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.vimeocdn.com https://*.paypal.com; report-uri /csp-report.php"
</
IfModule
>
# Remove potential security risks by only applying html/svg types to valid files (required since TYPO3 9.5.17)
<
IfModule
mod_mime.c
>
RemoveType
.html .htm
<
FilesMatch
".+\.html?$"
>
AddType
text/html .html
AddType
text/html .htm
</
FilesMatch
>
RemoveType
.svg .svgz
<
FilesMatch
".+\.svgz?$"
>
AddType
image/svg+xml .svg
AddType
image/svg+xml .svgz
</
FilesMatch
>
</
IfModule
>
#############################
### BOTS/ANNOYING SCRIPTS ###
#############################
# remote file execution vulnerabilities
RewriteCond
%{HTTP_USER_AGENT} ^libwww-perl [OR]
RewriteCond
%{HTTP_USER_AGENT} ^Morfeus [OR]
RewriteCond
%{HTTP_USER_AGENT} ^cr4nk\.ws [OR]
# This has to be disabled because the google API auth service adds URLs with https to the query string of the return url
#RewriteCond %{QUERY_STRING} https?\: [OR]
RewriteCond
%{QUERY_STRING} ftp\: [OR]
RewriteCond
%{REQUEST_URI} ^/cgi-std [OR]
# website discussion service by MS Office
RewriteCond
%{REQUEST_URI} (MSOffice/cltreq\.asp|_vti_bin/owssvr\.dll) [OR]
# empty host header isn't possible!
RewriteCond
%{HTTP_HOST} ^$
# sent to all of them forbidden errors
RewriteRule
^.* - [F,L]
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment