Files
provoc-website/.htaccess
kutesir fe5f232c6a Initial commit — Provoc Group website
Full website with security hardening:
- Redesigned sections: hero, services, capabilities, clients, partners, stats, about, workflow, contact
- Contact form fixed (variable names, XSS sanitisation, rate limiting, open redirect removed)
- .htaccess with security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- error_log blocked from public access
- Robots.txt corrected to allow JS/CSS for SEO rendering
2026-05-16 21:26:49 +03:00

55 lines
2.5 KiB
ApacheConf

# ── Security Headers ────────────────────────────────────────────────────────
<IfModule mod_headers.c>
# Prevent clickjacking
Header always set X-Frame-Options "SAMEORIGIN"
# Prevent MIME-type sniffing
Header always set X-Content-Type-Options "nosniff"
# Referrer information sent only to same origin
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Restrict browser features
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
# Basic Content Security Policy
# Scripts/styles are all local; allow WhatsApp/mailto links as popups
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none';"
# Remove PHP version disclosure
Header always unset X-Powered-By
</IfModule>
# ── Block access to sensitive files ─────────────────────────────────────────
<FilesMatch "^(error_log|\.env|composer\.(json|lock)|package(-lock)?\.json|.*\.log)$">
Order allow,deny
Deny from all
</FilesMatch>
# Block direct access to PHP includes if any exist
<FilesMatch "^(config|functions|helpers)\.php$">
Order allow,deny
Deny from all
</FilesMatch>
# ── Disable directory listing ────────────────────────────────────────────────
Options -Indexes
# ── Force HTTPS (enable when SSL certificate is active) ─────────────────────
# <IfModule mod_rewrite.c>
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# </IfModule>
# ── Protect against common exploit patterns ──────────────────────────────────
<IfModule mod_rewrite.c>
RewriteEngine On
# Block requests with suspicious query strings
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* - [F,L]
</IfModule>