Full website with security hardening: - Redesigned sections: hero, services, capabilities, clients, partners, stats, about, workflow, contact - Contact form fixed (variable names, XSS sanitisation, rate limiting, open redirect removed) - .htaccess with security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) - error_log blocked from public access - Robots.txt corrected to allow JS/CSS for SEO rendering
55 lines
2.5 KiB
ApacheConf
55 lines
2.5 KiB
ApacheConf
# ── Security Headers ────────────────────────────────────────────────────────
|
|
<IfModule mod_headers.c>
|
|
# Prevent clickjacking
|
|
Header always set X-Frame-Options "SAMEORIGIN"
|
|
|
|
# Prevent MIME-type sniffing
|
|
Header always set X-Content-Type-Options "nosniff"
|
|
|
|
# Referrer information sent only to same origin
|
|
Header always set Referrer-Policy "strict-origin-when-cross-origin"
|
|
|
|
# Restrict browser features
|
|
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
|
|
|
|
# Basic Content Security Policy
|
|
# Scripts/styles are all local; allow WhatsApp/mailto links as popups
|
|
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none';"
|
|
|
|
# Remove PHP version disclosure
|
|
Header always unset X-Powered-By
|
|
</IfModule>
|
|
|
|
# ── Block access to sensitive files ─────────────────────────────────────────
|
|
<FilesMatch "^(error_log|\.env|composer\.(json|lock)|package(-lock)?\.json|.*\.log)$">
|
|
Order allow,deny
|
|
Deny from all
|
|
</FilesMatch>
|
|
|
|
# Block direct access to PHP includes if any exist
|
|
<FilesMatch "^(config|functions|helpers)\.php$">
|
|
Order allow,deny
|
|
Deny from all
|
|
</FilesMatch>
|
|
|
|
# ── Disable directory listing ────────────────────────────────────────────────
|
|
Options -Indexes
|
|
|
|
# ── Force HTTPS (enable when SSL certificate is active) ─────────────────────
|
|
# <IfModule mod_rewrite.c>
|
|
# RewriteEngine On
|
|
# RewriteCond %{HTTPS} off
|
|
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|
|
# </IfModule>
|
|
|
|
# ── Protect against common exploit patterns ──────────────────────────────────
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
|
|
# Block requests with suspicious query strings
|
|
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
|
|
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
|
|
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
|
|
RewriteRule .* - [F,L]
|
|
</IfModule>
|