htaccess clean up

Ask the community for help and support.
Post Reply
User avatar
mhsuffolk
VIP Member
VIP Member
Posts: 146
Joined: Sat Oct 26, 2019 9:13 am
Has thanked: 8 times
Been thanked: 5 times

htaccess clean up

Post by mhsuffolk »

I have this in my htaccess which I think was added years ago in the days of RC2A. Is it needed now?

Code: Select all

# Converts http to https
RewriteEngine On 
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Prevent XSS (Cross site )
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ blocked.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

#Stop index.php?cPath=22/admin/categories.php/login.php?cPath=&action=new_product_preview etc

RewriteEngine on
RewriteCond %{REQUEST_URI} \.php/login\.php [OR]
RewriteCond %{QUERY_STRING} \.php/login\.php
RewriteRule .* - [F]

<IfModule mod_headers.c>
  <FilesMatch "\.(js|css|xml|gz)$">
    Header append Vary Accept-Encoding
  </FilesMatch>
</IfModule>

<FilesMatch "\.(ico|jpg|jpeg|png|gif|js|css|swf)$">
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 30 days"
</IfModule>
Header unset ETag
FileETag None
</FilesMatch>

# compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

# Or, compress certain file types by extension:
<files *.html>
SetOutputFilter DEFLATE
</files>
Live shop Phoenix 1.0.9.0 on PHP 8.0
burt
Lead Developer
Lead Developer
Posts: 2423
Joined: Tue Oct 29, 2019 9:37 am
Has thanked: 49 times
Been thanked: 137 times

Re: htaccess clean up

Post by burt »

You can remove this bit, but there is no harm in keeping it (though do make sure you have a "blocked.php" page..):

Code: Select all

# Prevent XSS (Cross site )
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ blocked.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
This bit seems to be protecting that ancient admin hack, so it can definitely be removed as that was cured years back in one of the 2.3 releases by HPDL:

Code: Select all

#Stop index.php?cPath=22/admin/categories.php/login.php?cPath=&action=new_product_preview etc

RewriteEngine on
RewriteCond %{REQUEST_URI} \.php/login\.php [OR]
RewriteCond %{QUERY_STRING} \.php/login\.php
RewriteRule .* - [F]
Gamechanger Addon: Queued Emails, try before you buy.
Post Reply