.htaccess Archives - Rebecca Rumble

.htaccess Security Headers

9 December 2020 Rebecca Rumble

The below headers can be added to any site’s .htaccess (with modifications) to help make it more secure. They can also be set on the server in the apache security.conf file.

By wary of the Content-Security-Policy as this is the one most likely to break a site and will need heavily modified to include all the scripts and style libraries you use on your website.

# Extra Security Headers
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	Header set X-Content-Type-Options nosniff
	Header set X-Permitted-Cross-Domain-Policies "none"
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	Header set Referrer-Policy 'same-origin'
	# Header set Feature-Policy "geolocation 'self'; fullscreen 'self' https://www.google.com;"
	Header set Permissions-Policy "microphone=(), camera=(), geolocation=(self), fullscreen=(self \"https://www.youtube.com\"), accelerometer=(self \"https://www.youtube.com\"), autoplay=(self \"https://www.youtube.com\"), clipboard-write=(self \"https://www.youtube.com\"), encrypted-media=(self \"https://www.youtube.com\"), gyroscope=(self \"https://www.youtube.com\")"

	Header set Expect-CT enforce,max-age=2592000,report-uri="https://www.example.com/report"
	Header add Content-Security-Policy "default-src 'self' *.youtube.com *.youtube-nocookie.com *.bootstrapcdn.com *.gstatic.com *.googleapis.com *.doubleclick.net *.googletagmanager.com *.google-analytics.com *.google.com; connect-src 'self' *.google-analytics.com; style-src 'self' 'unsafe-inline' *.bootstrapcdn.com *.googleapis.com; script-src 'self' *.youtube.com *.youtube-nocookie.com *.google-analytics.com *.google.com *.googleapis.com *.googletagmanager.com *.jquery.com *.bootstrapcdn.com 'unsafe-inline';"
	SetEnvIf Origin "http(s)?://(www\.)?(example.co.uk|youtube.com)$" AccessControlAllowOrigin=$0$1
    Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
    Header set Access-Control-Allow-Credentials true
</IfModule>

These can be tested here : https://www.serpworx.com/check-security-headers/

Content Security Policy can be tested before hand by using

Content-Security-Policy-Report-Only

https://www.uriports.com/blog/creating-a-content-security-policy-csp/

More Reading for the new permissions policy header which replaces the Feature Policy header.

https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/

Search Engine Friendly URLs

10 July 2020 Rebecca Rumble

I’ve been working on setting up some search engine friendly urls on a PHP website.

Rather than have urls that look like www.domain.co.uk/index.php?id=23 I wanted to change them to look like www.domain.co.uk/slugname like WordPress does.

To do this I used .htaccess

RewriteEngine On
RewriteRule ^\/?services\/? index.php?cat=2 [NC]
RewriteRule ^\/?departments\/? index.php?cat=3 [NC]
RewriteRule ^\/?resources\/? index.php?cat=4 [NC]
RewriteRule ^\/?calendar\/? index.php?cat=5 [NC]
RewriteRule ^\/?college\/([a-z0-9\-\_]+)\/?$ index.php?cat=1&id=$1 [NC]
RewriteRule ^\/?college\/? index.php?cat=1 [NC]

Ref : https://httpd.apache.org/docs/current/mod/mod_rewrite.html

RewriteEngine On

Enabled the Apache Mod_Rewrite
This lets me rewrite urls.

Category Rewrite Rule

RewriteRule ^\/?services\/? index.php?cat=2 [NC]

This line is a rewrite rule
( https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriterule )

After the rule is defined the next part looks for a matching pattern in the current url using regex.
(Ref : https://www.rexegg.com/regex-quickstart.html )

^ – Start of the string matches the following…
\ – escapes reserved characters
/? – may or may not have a / at the start
services – followed by the string ‘services’
\ – escaped reserved characters
/? – may or may not end with a trailing /

Then the actual path is specified (this is the path that will actually load)

[NC] indicates that the rewrite rule is case insensitive (therefore it will match regardless of characters being uppercase or lowercase)

Category Sub Items Rewrite Rule

RewriteRule ^\/?college\/([a-z0-9\-\_]+)\/?$ index.php?cat=1&id=$1 [NC]

I added a rewrite rule to handle sub items. This one takes an id from the pattern and adds it to the actual path. so if you typed in www.domain.com/college/item it would load www.domain.com/index.php?cat=1&id=item .

^\/?college\/([a-z0-9\-\_]+)\/?$

^ – match the start of the string
/? – may or may not start with a /
college/ – followed by the string college/
([a-z0-9\-\_]+) – followed by a group of characters in the set [ ] ( a-z 0-9 – or _ ) case doesn’t matter in this example because we are using NC at the end.
\ – escape string (escapes the slash)
/? – may or may not end with a /
$ – matches the end of the string specified in the brackets ( )

index.php?cat=1&id=$1

The matched string ( (…)$ ) is then inserted into the actual path using $1 – if you matched more than one param from the first string your would number them $1, $2, $3 e.t.c.

Continued….

This is a fairly basic example, it works for what I need but I may take it further in the future…

Useful Links

https://regexr.com/3cr6f Regex Translator / Tester
https://www.rexegg.com/regex-quickstart.html – Regex Cheat Sheet
https://httpd.apache.org/docs/2.4/rewrite/flags.html – Rewrite Documentation

Rebecca Rumble

Programmer, Web Developer and Designer

Browsed by
Tag: .htaccess