Skip to content
Snippets Groups Projects
Commit 9be80c6d authored by Stefan Galinski's avatar Stefan Galinski :video_game:
Browse files

[BUGFIX] Fix heavy security issues

parent 6d531441
No related branches found
No related tags found
No related merge requests found
.htaccess 0 → 100644
##############
### BASICS ###
##############
# additional mime types
AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType application/font-woff .woff
AddType application/font-woff2 .woff2
AddType image/x-icon .ico
# Activate rewrite engine
RewriteEngine On
RewriteBase /
# No redirects or anything else if the .well-known diectory is called. LetsEncrypt uses this directory for certificate renewals and so on.
RewriteRule ^.well-known/.*$ - [END]
################
### SECURITY ###
################
# Prevent autodiscover calls (they can cause heavy load issues)
RewriteRule ^autodiscover/autodiscover.xml$ - [F,L]
# Block access to vcs directories
RedirectMatch 403 /\.(?:git|svn|hg)/
# Access block for files
<FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</FilesMatch>
# Enfore proper Default Security Headers
<IfModule mod_headers.c>
# Activate HSTS
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Reducing MIME type security risks
Header set X-Content-Type-Options "nosniff"
# Access-Control-Allow-Origin is used to allow AJAX functionality while using the sgc watcher during development
# ENABLE THIS ONLY FOR DEV REASONS. CAUSES A LOT OF HARM ON PRODUCTION!
# Header always set Access-Control-Allow-Origin "https://localhost:3000"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Xss-Protection "1; mode=block"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# We set this value to the wanted value for the future of the web.
# same and strict can't be used as they cause issues with TYPO3 or several web services like Vimeo if used in private mode
Header set Referrer-Policy "strict-origin-when-cross-origin"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
# This needs to be changed, if some of the features are needed outside of "self"
Header set Feature-Policy "geolocation 'self'; midi 'self'; payment 'self'; camera 'self'; usb 'self'; fullscreen 'self'; magnetometer 'self'; picture-in-picture *; accelerometer 'self'; encrypted-media 'self'; autoplay 'self'; gyroscope 'self'; sync-xhr 'self'; microphone 'self'"
Header set Permissions-Policy "geolocation=(self), midi=(self), payment=(self), camera=(self), usb=(self), fullscreen=(self), magnetometer=(self), picture-in-picture=(*), accelerometer=(self), encrypted-media=(self), autoplay=(self), gyroscope=(self), sync-xhr=(self), microphone=(self)"
# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# The keyword unsafe-inline allows for inline-script sections. THIS DISABLES XSS PROTECTION!
# form-action 'self'; --> caused problems in Chrome on some subdomains. It's better to not set this value at all.
# "default-src 'none' --> can't be used, because this breaks Firefox inside the TYPO3 backend
# "unsafe-eval" -> required in script_src, because of the mask extension (might be removable in TYPO3 12+)
# Header set Content-Security-Policy "default-src 'self'; media-src 'self'; base-uri 'none'; object-src 'none'; worker-src 'self' blob:; frame-ancestors 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://www.youtube.com https://player.vimeo.com https://cdn.plyr.io https://*.gstatic.com https://*.google.com https://*.googleapis.com; style-src 'self' 'unsafe-inline' https://cdn.plyr.io https://*.googleapis.com; font-src 'self' data: https://*.gstatic.com; img-src 'self' data: blob: https://www.gravatar.com https://*.googleusercontent.com https://*.twimg.com https://*.youtube.com https://i.vimeocdn.com https://*.gstatic.com https://*.googleapis.com; connect-src 'self' https://*.googleapis.com; frame-src 'self' https://*.google.com https://*.xing.com https://*.youtube.com https://*.youtube-nocookie.com https://*.vimeo.com https://*.vimeocdn.com https://*.paypal.com; report-uri /csp-report.php"
</IfModule>
# Remove potential security risks by only applying html/svg types to valid files (required since TYPO3 9.5.17)
<IfModule mod_mime.c>
RemoveType .html .htm
<FilesMatch ".+\.html?$">
AddType text/html .html
AddType text/html .htm
</FilesMatch>
RemoveType .svg .svgz
<FilesMatch ".+\.svgz?$">
AddType image/svg+xml .svg
AddType image/svg+xml .svgz
</FilesMatch>
</IfModule>
#############################
### BOTS/ANNOYING SCRIPTS ###
#############################
# remote file execution vulnerabilities
RewriteCond %{HTTP_USER_AGENT} ^libwww-perl [OR]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus [OR]
RewriteCond %{HTTP_USER_AGENT} ^cr4nk\.ws [OR]
# This has to be disabled because the google API auth service adds URLs with https to the query string of the return url
#RewriteCond %{QUERY_STRING} https?\: [OR]
RewriteCond %{QUERY_STRING} ftp\: [OR]
RewriteCond %{REQUEST_URI} ^/cgi-std [OR]
# website discussion service by MS Office
RewriteCond %{REQUEST_URI} (MSOffice/cltreq\.asp|_vti_bin/owssvr\.dll) [OR]
# empty host header isn't possible!
RewriteCond %{HTTP_HOST} ^$
# sent to all of them forbidden errors
RewriteRule ^.* - [F,L]
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment