[TASK] Disallow access to vcs directories
[Packages/TYPO3.CMS.git] / _.htaccess
1 #####
2 #
3 # Example .htaccess file for TYPO3 CMS - for use with Apache Webserver
4 #
5 # This file includes settings for the following configuration options:
6 #
7 # - Compression
8 # - Caching
9 # - MIME types
10 # - Cross Origin requests
11 # - Rewriting and Access
12 # - Miscellaneous
13 # - PHP optimisation
14 #
15 # If you want to use it, you have to copy it to the root folder of your TYPO3 installation (if its
16 # not there already) and rename it to '.htaccess'. To make .htaccess files work, you might need to
17 # adjust the 'AllowOverride' directive in your Apache configuration file.
18 #
19 # IMPORTANT: You may need to change this file depending on your TYPO3 installation!
20 # Consider adding this file's content to your webserver's configuration directly for speed improvement
21 #
22 # Lots of the options are taken from https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess
23 #
24 ####
25
26
27 ### Begin: Compression ###
28
29 # Compressing resource files will save bandwidth and so improve loading speed especially for users
30 # with slower internet connections. TYPO3 can compress the .js and .css files for you.
31 # *) Uncomment the following lines and
32 # *) Set $GLOBALS['TYPO3_CONF_VARS']['BE']['compressionLevel'] = 9 for the Backend
33 # *) Set $GLOBALS['TYPO3_CONF_VARS']['FE']['compressionLevel'] = 9 together with the TypoScript properties
34 # config.compressJs and config.compressCss for GZIP compression of Frontend JS and CSS files.
35
36 #<FilesMatch "\.js\.gzip$">
37 # AddType "text/javascript" .gzip
38 #</FilesMatch>
39 #<FilesMatch "\.css\.gzip$">
40 # AddType "text/css" .gzip
41 #</FilesMatch>
42 #AddEncoding gzip .gzip
43
44 <IfModule mod_deflate.c>
45 # Force compression for mangled `Accept-Encoding` request headers
46 <IfModule mod_setenvif.c>
47 <IfModule mod_headers.c>
48 SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
49 RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
50 </IfModule>
51 </IfModule>
52
53 # Compress all output labeled with one of the following media types
54 <IfModule mod_filter.c>
55 AddOutputFilterByType DEFLATE application/atom+xml \
56 application/javascript \
57 application/json \
58 application/ld+json \
59 application/manifest+json \
60 application/rdf+xml \
61 application/rss+xml \
62 application/schema+json \
63 application/vnd.geo+json \
64 application/vnd.ms-fontobject \
65 application/x-font-ttf \
66 application/x-javascript \
67 application/x-web-app-manifest+json \
68 application/xhtml+xml \
69 application/xml \
70 font/eot \
71 font/opentype \
72 image/bmp \
73 image/svg+xml \
74 image/vnd.microsoft.icon \
75 image/x-icon \
76 text/cache-manifest \
77 text/css \
78 text/html \
79 text/javascript \
80 text/plain \
81 text/vcard \
82 text/vnd.rim.location.xloc \
83 text/vtt \
84 text/x-component \
85 text/x-cross-domain-policy \
86 text/xml
87 </IfModule>
88
89 <IfModule mod_mime.c>
90 AddEncoding gzip svgz
91 </IfModule>
92 </IfModule>
93
94 ### End: Compression ###
95
96
97
98 ### Begin: Browser caching of resource files ###
99
100 # This affects Frontend and Backend and increases performance.
101 <IfModule mod_expires.c>
102
103 ExpiresActive on
104 ExpiresDefault "access plus 1 month"
105
106 ExpiresByType text/css "access plus 1 year"
107
108 ExpiresByType application/json "access plus 0 seconds"
109 ExpiresByType application/ld+json "access plus 0 seconds"
110 ExpiresByType application/schema+json "access plus 0 seconds"
111 ExpiresByType application/vnd.geo+json "access plus 0 seconds"
112 ExpiresByType application/xml "access plus 0 seconds"
113 ExpiresByType text/xml "access plus 0 seconds"
114
115 ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
116 ExpiresByType image/x-icon "access plus 1 week"
117
118 ExpiresByType text/x-component "access plus 1 month"
119
120 ExpiresByType text/html "access plus 0 seconds"
121
122 ExpiresByType application/javascript "access plus 1 year"
123 ExpiresByType application/x-javascript "access plus 1 year"
124 ExpiresByType text/javascript "access plus 1 year"
125
126 ExpiresByType application/manifest+json "access plus 1 week"
127 ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
128 ExpiresByType text/cache-manifest "access plus 0 seconds"
129
130 ExpiresByType audio/ogg "access plus 1 month"
131 ExpiresByType image/bmp "access plus 1 month"
132 ExpiresByType image/gif "access plus 1 month"
133 ExpiresByType image/jpeg "access plus 1 month"
134 ExpiresByType image/png "access plus 1 month"
135 ExpiresByType image/svg+xml "access plus 1 month"
136 ExpiresByType image/webp "access plus 1 month"
137 ExpiresByType video/mp4 "access plus 1 month"
138 ExpiresByType video/ogg "access plus 1 month"
139 ExpiresByType video/webm "access plus 1 month"
140
141 ExpiresByType application/atom+xml "access plus 1 hour"
142 ExpiresByType application/rdf+xml "access plus 1 hour"
143 ExpiresByType application/rss+xml "access plus 1 hour"
144
145 ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
146 ExpiresByType font/eot "access plus 1 month"
147 ExpiresByType font/opentype "access plus 1 month"
148 ExpiresByType application/x-font-ttf "access plus 1 month"
149 ExpiresByType application/font-woff "access plus 1 month"
150 ExpiresByType application/x-font-woff "access plus 1 month"
151 ExpiresByType font/woff "access plus 1 month"
152 ExpiresByType application/font-woff2 "access plus 1 month"
153
154 ExpiresByType text/x-cross-domain-policy "access plus 1 week"
155
156 </IfModule>
157
158 ### End: Browser caching of resource files ###
159
160
161 ### Begin: MIME types ###
162
163 # Proper MIME types for all files
164 <IfModule mod_mime.c>
165
166 # Data interchange
167 AddType application/atom+xml atom
168 AddType application/json json map topojson
169 AddType application/ld+json jsonld
170 AddType application/rss+xml rss
171 AddType application/vnd.geo+json geojson
172 AddType application/xml rdf xml
173
174 # JavaScript
175 AddType application/javascript js
176
177 # Manifest files
178 AddType application/manifest+json webmanifest
179 AddType application/x-web-app-manifest+json webapp
180 AddType text/cache-manifest appcache
181
182 # Media files
183
184 AddType audio/mp4 f4a f4b m4a
185 AddType audio/ogg oga ogg opus
186 AddType image/bmp bmp
187 AddType image/svg+xml svg svgz
188 AddType image/webp webp
189 AddType video/mp4 f4v f4p m4v mp4
190 AddType video/ogg ogv
191 AddType video/webm webm
192 AddType video/x-flv flv
193 AddType image/x-icon cur ico
194
195 # Web fonts
196 AddType application/font-woff woff
197 AddType application/font-woff2 woff2
198 AddType application/vnd.ms-fontobject eot
199 AddType application/x-font-ttf ttc ttf
200 AddType font/opentype otf
201
202 # Other
203 AddType application/octet-stream safariextz
204 AddType application/x-bb-appworld bbaw
205 AddType application/x-chrome-extension crx
206 AddType application/x-opera-extension oex
207 AddType application/x-xpinstall xpi
208 AddType text/vcard vcard vcf
209 AddType text/vnd.rim.location.xloc xloc
210 AddType text/vtt vtt
211 AddType text/x-component htc
212
213 </IfModule>
214
215 # UTF-8 encoding
216 AddDefaultCharset utf-8
217 <IfModule mod_mime.c>
218 AddCharset utf-8 .atom .css .js .json .manifest .rdf .rss .vtt .webapp .webmanifest .xml
219 </IfModule>
220
221 ### End: MIME types ###
222
223
224
225 ### Begin: Cross Origin ###
226
227 # Send the CORS header for images when browsers request it.
228 <IfModule mod_setenvif.c>
229 <IfModule mod_headers.c>
230 <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
231 SetEnvIf Origin ":" IS_CORS
232 Header set Access-Control-Allow-Origin "*" env=IS_CORS
233 </FilesMatch>
234 </IfModule>
235 </IfModule>
236
237 # Allow cross-origin access to web fonts.
238 <IfModule mod_headers.c>
239 <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
240 Header set Access-Control-Allow-Origin "*"
241 </FilesMatch>
242 </IfModule>
243
244 ### End: Cross Origin ###
245
246
247
248 ### Begin: Rewriting and Access ###
249
250 # You need rewriting, if you use a URL-Rewriting extension (RealURL, CoolUri).
251
252 <IfModule mod_rewrite.c>
253
254 # Enable URL rewriting
255 RewriteEngine On
256
257 # Store the current location in an environment variable CWD to use
258 # mod_rewrite in .htaccess files without knowing the RewriteBase
259 RewriteCond $0#%{REQUEST_URI} ([^#]*)#(.*)\1$
260 RewriteRule ^.*$ - [E=CWD:%2]
261
262 # Rules to set ApplicationContext based on hostname
263 #RewriteCond %{HTTP_HOST} ^dev\.example\.com$
264 #RewriteRule .? - [E=TYPO3_CONTEXT:Development]
265 #RewriteCond %{HTTP_HOST} ^staging\.example\.com$
266 #RewriteRule .? - [E=TYPO3_CONTEXT:Production/Staging]
267 #RewriteCond %{HTTP_HOST} ^www\.example\.com$
268 RewriteRule .? - [E=TYPO3_CONTEXT:Production]
269
270 # Rule for versioned static files, configured through:
271 # - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename']
272 # - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename']
273 # IMPORTANT: This rule has to be the very first RewriteCond in order to work!
274 RewriteCond %{REQUEST_FILENAME} !-f
275 RewriteCond %{REQUEST_FILENAME} !-d
276 RewriteRule ^(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ $1.$3 [L]
277
278 # Access block for folders
279 RewriteRule _(?:recycler|temp)_/ - [F]
280 RewriteRule fileadmin/templates/.*\.(?:txt|ts)$ - [F]
281 RewriteRule typo3temp/logs/ - [F]
282 RewriteRule (?:typo3conf/ext|typo3/sysext|typo3/ext|typo3/vendor)/[^/]+/(?:Configuration|Resources/Private|Tests?)/ - [F]
283
284 # Access block for files or folders starting with a dot
285 RewriteCond %{SCRIPT_FILENAME} -d [OR]
286 RewriteCond %{SCRIPT_FILENAME} -f
287 RewriteRule (?:^|/)\. - [F]
288
289 # Stop rewrite processing, if we are in the typo3/ directory or any other known directory
290 # NOTE: Add your additional local storages here
291 RewriteRule (?:typo3/|fileadmin/|typo3conf/|typo3temp/|uploads/|favicon\.ico) - [L]
292
293 # If the file/symlink/directory does not exist => Redirect to index.php.
294 # For httpd.conf, you need to prefix each '%{REQUEST_FILENAME}' with '%{DOCUMENT_ROOT}'.
295 RewriteCond %{REQUEST_FILENAME} !-f
296 RewriteCond %{REQUEST_FILENAME} !-d
297 RewriteCond %{REQUEST_FILENAME} !-l
298 RewriteRule ^.*$ %{ENV:CWD}index.php [QSA,L]
299
300 </IfModule>
301
302 # Access block for files
303 <FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
304 # Apache < 2.3
305 <IfModule !mod_authz_core.c>
306 Order allow,deny
307 Deny from all
308 Satisfy All
309 </IfModule>
310
311 # Apache ≥ 2.3
312 <IfModule mod_authz_core.c>
313 Require all denied
314 </IfModule>
315 </FilesMatch>
316
317 # Block access to vcs directories
318 <IfModule mod_alias.c>
319 RedirectMatch 404 /\.(?:git|svn|hg)/
320 </IfModule>
321
322 ### End: Rewriting and Access ###
323
324
325
326 ### Begin: Miscellaneous ###
327
328 # 404 error prevention for non-existing redirected folders
329 Options -MultiViews
330
331 # Make sure that directory listings are disabled.
332 <IfModule mod_autoindex.c>
333 Options -Indexes
334 </IfModule>
335
336 <IfModule mod_headers.c>
337 # Force IE to render pages in the highest available mode
338 Header set X-UA-Compatible "IE=edge"
339 <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff2?|xml|xpi)$">
340 Header unset X-UA-Compatible
341 </FilesMatch>
342
343 # Reducing MIME type security risks
344 Header set X-Content-Type-Options "nosniff"
345 </IfModule>
346
347 # ETag removal
348 <IfModule mod_headers.c>
349 Header unset ETag
350 </IfModule>
351 FileETag None
352
353 ### End: Miscellaneous ###
354
355
356 # Add your own rules here.