Sindbad~EG File Manager

Current Path : /home/sarayaglobal/lakanto.net.cn/
Upload File :
Current File : /home/sarayaglobal/lakanto.net.cn/.htaccess

# =========================
# Core security & hardening
# =========================

# Disable directory listing
Options -Indexes

# Follow symlinks safely (avoid MultiViews to prevent URL confusion)
Options +FollowSymLinks -MultiViews

# Block access to hidden/sensitive files and backups
<FilesMatch "(^\.|\.bak$|\.old$|\.orig$|\.swp$|\.sql$|\.zip$|\.tar$|\.gz$|~$)">
    Require all denied
</FilesMatch>

# Block access to configuration and VCS paths
# (Adjust list if you actually need some of these)
<IfModule mod_authz_core.c>
    <FilesMatch "^(composer\.json|composer\.lock|package\.json|yarn\.lock|webpack\.config\.js|Gruntfile\.js|README|LICENSE|\.env|\.git|\.svn|\.hg|\.DS_Store|\.htaccess|\.htpasswd)$">
        Require all denied
    </FilesMatch>
</IfModule>

# =========================
# Enforce HTTPS + canonical
# =========================
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Redirect HTTP to HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # Force non-www (comment this block and use the next one if you prefer www)
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

    # --- Prefer www (use this instead of the previous block) ---
    # RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
    # RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # Prevent double slashes in URL path
    RewriteCond %{THE_REQUEST} \s//+ [NC]
    RewriteRule .* https://%{HTTP_HOST}/ [R=301,L]
</IfModule>

# ================
# Security headers
# ================
<IfModule mod_headers.c>
    # Strict Transport Security (only enable if you’re sure HTTPS works site-wide)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"

    # Clickjacking protection (change to SAMEORIGIN if you must iframe yourself)
    Header always set X-Frame-Options "DENY"

    # Safer cross-site referrers
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Permissions Policy (limit powerful APIs; adjust as needed)
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), usb=(), bluetooth=(), payment=()"

    # Cross-Origin Resource Policy (restrict other sites from embedding your resources)
    Header always set Cross-Origin-Resource-Policy "same-origin"

    # Cross-Origin Opener Policy (helps isolate browsing contexts)
    Header always set Cross-Origin-Opener-Policy "same-origin"

    # Cross-Origin Embedder Policy (use require-corp only if all subresources are same-origin or CORS-enabled)
    # Header always set Cross-Origin-Embedder-Policy "require-corp"

    # Content Security Policy (CSP)
    # Start strict; relax as needed for your assets/CDNs/scripts.
    # If you use inline scripts/styles, add 'unsafe-inline' (not recommended).
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data: https:; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests"

    # Remove server version exposure (if possible)
    Header unset X-Powered-By
</IfModule>

# ========================
# Allowed HTTP methods only
# ========================
<IfModule mod_rewrite.c>
    RewriteEngine On
    # Allow GET, POST, HEAD, OPTIONS; block TRACE and others
    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS)$ [NC]
    RewriteRule .* - [R=405,L]
</IfModule>

# ======================
# Compression (Deflate)
# ======================
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript application/javascript application/json application/xml application/rss+xml image/svg+xml
    # Make compression safer
    DeflateCompressionLevel 6
    # Avoid double-compressing
    SetEnvIfNoCase Request_URI \.(?:gif|jpg|jpeg|png|webp)$ no-gzip=1
</IfModule>

# ==========================
# Caching & cache-bust rules
# ==========================
<IfModule mod_expires.c>
    ExpiresActive On

    # Static assets: long cache
    ExpiresByType image/webp "access plus 6 months"
    ExpiresByType image/avif "access plus 6 months"
    ExpiresByType image/jpeg "access plus 6 months"
    ExpiresByType image/png "access plus 6 months"
    ExpiresByType image/gif "access plus 6 months"
    ExpiresByType image/svg+xml "access plus 6 months"
    ExpiresByType font/woff2 "access plus 6 months"
    ExpiresByType font/woff "access plus 6 months"
    ExpiresByType text/css "access plus 3 months"
    ExpiresByType application/javascript "access plus 3 months"

    # HTML: short cache
    ExpiresByType text/html "access plus 10 minutes"

    # JSON/XML: moderate
    ExpiresByType application/json "access plus 1 hour"
    ExpiresByType application/xml "access plus 1 hour"
</IfModule>

# Strong ETag/Cache control examples (optional)
<IfModule mod_headers.c>
    <FilesMatch "\.(css|js|png|jpg|jpeg|gif|webp|avif|svg|woff2|woff)$">
        Header set Cache-Control "public, max-age=7776000, immutable"
    </FilesMatch>
    <FilesMatch "\.(html)$">
        Header set Cache-Control "no-cache, no-store, must-revalidate"
    </FilesMatch>
</IfModule>

# ==================
# Hotlink protection
# ==================
# Replace example.com with your domain(s)
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} !^$

Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists