.htaccess和PHP文件
我已经编写了一个.htaccess文件来解决我一直在工作的站点的某些安全问题 例如:.htaccess和PHP文件,php,.htaccess,Php,.htaccess,我已经编写了一个.htaccess文件来解决我一直在工作的站点的某些安全问题 例如: 高速列车 帧选项 嗅探选项 顾客服务提供商 我遇到的问题是,该文件似乎与以下内容一起工作: HTML CSS JS PDF 但不适用于PHP文件 使用PHP文件时,是否需要显式使用header() 为了以防万一,我把文件放进去了 ############################# ## ERROR MESSAGES REDIRECT ## ############################
- 高速列车
- 帧选项
- 嗅探选项
- 顾客服务提供商
- HTML
- CSS
- JS
header()#############################
## ERROR MESSAGES REDIRECT ##
#############################
ErrorDocument 404 /404.php
#############################
## ERROR MESSAGES REDIRECT ##
#############################
############################
# DISABLE SERVER SIGNATURE #
############################
ServerSignature Off
############################
# DISABLE SERVER SIGNATURE #
############################
#################
## VARY HEADER ##
#################
<IfModule mod_headers.c>
Header always add TestHeader "It works."
######################################
## Set X headers for extra security ##
######################################
# 1. HTTP Strict Transport Security (HSTS) header
# 2. CSP - Only allow content from particular places
# 3. XXS Protection - Protect from XXS
# 4. X-Frame-Options SAMEORIGIN - Only allow frames within this domain
# 5. X-Content-Type-Options nosniff - Disable browser sniffing
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
Header set Content-Security-Policy "default-src 'self'; script-src 'self' www.google-analytics.com
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
######################################
## Set X headers for extra security ##
######################################
#####################
## Unset X headers ##
#####################
Header unset X-Powered-By
#####################
## Unset X headers ##
#####################
#####################
## Vary headers ##
#####################
<FilesMatch "\.(js|css|xml|gz|html|php|woff|woff2)$">
Header append Vary: Accept-Encoding
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
#####################
## Vary headers ##
#####################
#####################
## EXPIRES CACHING ##
#####################
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 month"
# CSS
ExpiresByType text/css "access plus 1 year"
# Data interchange
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
# Favicon (cannot be renamed!)
ExpiresByType image/x-icon "access plus 1 week"
# HTML components (HTCs)
ExpiresByType text/x-component "access plus 1 month"
# HTML
ExpiresByType text/html "access plus 0 seconds"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
# Manifest files
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Media
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# Web feeds
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
# Web fonts
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
</IfModule>
#####################
## EXPIRES CACHING ##
#####################
#################
## COMPRESSION ##
#################
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE font/woff
AddOutputFilterByType DEFLATE font/woff2
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
</IfModule>
#################
## COMPRESSION ##
#################
#############################
##错误消息重定向##
#############################
ErrorDocument 404/404.php
#############################
##错误消息重定向##
#############################
############################
#禁用服务器签名#
############################
服务器签名关闭
############################
#禁用服务器签名#
############################
#################
##变头##
#################
Header始终添加TestHeader“它工作”
######################################
##设置X头以增加安全性##
######################################
# 1. HTTP严格传输安全(HSTS)标头
# 2. CSP-仅允许来自特定位置的内容
# 3. XXS保护-保护免受XXS影响
# 4. X-Frame-Options SAMEORIGIN-仅允许此域中的帧
# 5. X-Content-Type-Options nosniff-禁用浏览器嗅探
标头设置严格的传输安全性“最大年龄=631138519;包括子域”
标题设置内容安全策略“默认src'self';脚本src'self'www.google-analytics.com
标题集X-XSS-Protection“1;模式=块“
标题始终附加X-Frame-Options SAMEORIGIN
标题集X-Content-Type-Options nosniff
######################################
##设置X头以增加安全性##
######################################
#####################
##取消设置X标题##
#####################
割台未设置X供电
#####################
##取消设置X标题##
#####################
#####################
##更改标题##
#####################
头附加变量:接受编码
标题集访问控制允许原点“*”
#####################
##更改标题##
#####################
#####################
##过期缓存##
#####################
过期于
ExpiresDefault“访问加1个月”
#CSS
ExpiresByType文本/css“访问加1年”
#数据交换
ExpiresByType应用程序/json“访问加0秒”
ExpiresByType应用程序/xml“访问加0秒”
ExpiresByType text/xml“访问加0秒”
#Favicon(无法重命名!)
ExpiresByType图像/x图标“访问加1周”
#HTML组件(HTC)
ExpiresByType文本/x组件“访问加1个月”
#HTML
ExpiresByType text/html“访问加0秒”
#JavaScript
ExpiresByType应用程序/javascript“访问加1年”
#清单文件
ExpiresByType应用程序/x-web-app-manifest+json“访问加0秒”
ExpiresByType文本/缓存清单“访问加0秒”
#媒体
ExpiresByType音频/ogg“访问加1个月”
ExpiresByType image/gif“访问加1个月”
过期按类型图像/jpeg“访问加1个月”
ExpiresByType图像/png“访问加1个月”
按类型视频/mp4“访问加1个月”过期
按类型视频/ogg“访问加1个月”过期
过期按类型视频/webm“访问加1个月”
#网络源
ExpiresByType应用程序/atom+xml“访问加1小时”
ExpiresByType应用程序/rss+xml“访问加1小时”
#网页字体
ExpiresByType应用程序/font-woff2“访问加1个月”
过期按类型应用程序/font woff“访问加1个月”
ExpiresByType应用程序/vnd.ms-fontobject“访问加1个月”
按类型应用程序到期/x-font-ttf“访问加1个月”
ExpiresByType字体/opentype“访问加1个月”
ExpiresByType图像/svg+xml“访问加1个月”
#####################
##过期缓存##
#####################
#################
##压缩##
#################
AddOutputFilterByType DEFLATE应用程序/javascript
AddOutputFilterByType DEFLATE应用程序/rss+xml
AddOutputFilterByType DEFLATE应用程序/vnd.ms-fontobject
AddOutputFilterByType放气应用程序/x-font
AddOutputFilterByType放气应用程序/x-font-opentype
AddOutputFilterByType放气应用程序/x-font-otf
AddOutputFilterByType放气应用程序/x-font-truetype
AddOutputFilterByType放气应用程序/x-font-ttf
AddOutputFilterByType DEFLATE应用程序/x-javascript
AddOutputFilterByType DEFLATE应用程序/xhtml+xml
AddOutputFilterByType DEFLATE应用程序/xml
AddOutputFilterByType泄气字体/opentype
AddOutputFilterByType DEFLATE字体/otf
AddOutputFilterByType DEFLATE字体/ttf
AddOutputFilterByType DEFLATE字体/woff
AddOutputFilterByType DEFLATE字体/woff2
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType放气图像/x图标
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType泄气文本/普通
#################
##压缩##
#################
<?php
/*
- 1. Strict Transport Security
- 2. Content Security Policy
- 3. XSS Protection
- 4. X Frame Options
- 5. X Content Options
- 6. Referrer Policy
*/
$headerSTS = "Strict-Transport-Security:" . "max-age=631138519; includeSubDomains";
$headerCSP = "Content-Security-Policy:" .
"style-src 'self' 'unsafe-inline' *;" .
"script-src 'self' 'unsafe-eval' 'unsafe-inline' code.jquery.com https://cse.google.com https://www.google.com https://www.google-analytics.com https://ajax.googleapis.com https://www.gstatic.com;" .
"img-src 'self' https://www.google.com https://www.google-analytics.com *;" .
"media-src 'self' http://player.vimeo.com;" .
"frame-src 'self' http://player.vimeo.com;";
$headerXSS = "X-XSS-Protection: 1; mode=block";
$headerSO = "X-Frame-Options: SAMEORIGIN";
$headerNS = "X-Content-Type-Options: nosniff";
$headerReferrer = "Referrer-Policy: no-referrer-when-downgrade";
header($headerSTS);
header($headerCSP);
header($headerXSS);
header($headerSO);
header($headerNS);
header($headerReferrer);
?>