Files
2026-06-10 19:23:50 +07:00

38 lines
1.1 KiB
ApacheConf

Options -Indexes
Options -MultiViews
# ── Security headers ──
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
# ── Block direct access to sensitive files ──
<FilesMatch "^(config\.php|database\.sql|\.env)$">
Order allow,deny
Deny from all
</FilesMatch>
# ── Allow uploads folder but block PHP execution inside it ──
<IfModule mod_rewrite.c>
RewriteEngine On
# Block PHP execution in uploads folder
RewriteRule ^uploads/.*\.php$ - [F,L]
# Route all API requests through index if needed
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/([^/]+)/?$ api/$1.php [L,QSA]
</IfModule>
# ── Cache static assets ──
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
</IfModule>