Adding security to your SVN directory using .htaccess

Posted: May 25th, 2009 | Author: admin | Filed under: Server Related Stuff | No Comments »

If you are familiar with SVN, your directory tree of your project or website would be populated by .svn folders. These folders are a security vulnerability since this is where you keep your file revisions and other information regarding the structure and layout of your website. Here’s a simple solution made by Adam Gotterer that protect and secure those directories by using .htaccess:

RewriteRule (\.svn)/(.*?) - [F,L]

Another good tip is to use SVN export instead of a checkout or rsync.

.htaccess reference guide

Posted: May 20th, 2009 | Author: admin | Filed under: Server Related Stuff | Tags: | No Comments »

I found this nifty cheatsheet for the .htaccess configuration. Special thanks to Jackol’s Den.

Enable Directory Browsing

Options +Indexes ## block a few types of files from showing IndexIgnore *.wmv *.mp4 *.avi

Disable Directory Browsing

Options All -Indexes

Customize Error Messages

ErrorDocument 403 /forbidden.html ErrorDocument 404 /notfound.html ErrorDocument 500 /servererror.html

Get SSI working with HTML/SHTML

AddType text/html .html AddType text/html .shtml AddHandler server-parsed .html AddHandler server-parsed .shtml # AddHandler server-parsed .htm

Change Default Page (order is followed!)

DirectoryIndex myhome.htm index.htm index.php

Block Users from accessing the site

<limit GET POST PUT> order deny,allow deny from 202.54.122.33 deny from 8.70.44.53 deny from .spammers.com allow from all </limit>

Allow only LAN users

order deny,allow deny from all allow from 192.168.0.0/24

Redirect Visitors to New Page/Directory

Redirect oldpage.html http://www.domainname.com/newpage.html Redirect /olddir http://www.domainname.com/newdir/

Block site from specific referrers

RewriteEngine on RewriteCond %{HTTP_REFERER} site-to-block\.com [NC] RewriteCond %{HTTP_REFERER} site-to-block-2\.com [NC] RewriteRule .* - [F]

Block Hot Linking/Bandwidth hogging

RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ - [F]

Want to show a “Stealing is Bad” message too?

Add this below the Hot Link Blocking code:

RewriteRule \.(gif|jpg)$ http://www.mydomain.com/dontsteal.gif [R,L]

Stop .htaccess (or any other file) from being viewed

<files file-name> order allow,deny deny from all </files>

Avoid the 500 Error

# Avoid 500 error by passing charset AddDefaultCharset utf-8

Grant CGI Access in a directory

Options +ExecCGI AddHandler cgi-script cgi pl # To enable all scripts in a directory use the following # SetHandler cgi-script

Password Protecting Directories

Use the .htaccess Password Generator and follow the brief instructions!

Change Script Extensions

AddType application/x-httpd-php .gne

gne will now be treated as PHP files! Similarly, x-httpd-cgi for CGI files, etc.

Use MD5 Digests

Performance may take a hit but if thats not a problem, this is a nice option to turn on.

ContentDigest On

The CheckSpelling Directive

From Jens Meiert: CheckSpelling corrects simple spelling errors (for example, if someone forgets a letter or if any character is just wrong). Just add CheckSpelling On to your htaccess file.

The ContentDigest Directive

As the Apache core features documentation says: “This directive enables the generation of Content-MD5 headers as defined in RFC1864 respectively RFC2068. The Content-MD5 header provides an end-to-end message integrity check (MIC) of the entity-body. A proxy or client may check this header for detecting accidental modification of the entity-body in transit.

Note that this can cause performance problems on your server since the message digest is computed on every request (the values are not cached). Content-MD5 is only sent for documents served by the core, and not by any module. For example, SSI documents, output from CGI scripts, and byte range responses do not have this header.”

Enable Gzip – Save Bandwidth

# BEGIN GZIP

# Combine the below two lines - I’ve split it up for presentation
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css
application/x-javascript application/javascript

# END GZIP

Turn off magic_quotes_gpc

# Only if you use PHP

php_flag magic_quotes_gpc off

Set an Expires header and enable Cache-Control

ExpiresActive On
ExpiresDefault “access plus 1 seconds”
ExpiresByType text/html “access plus 7200 seconds”
ExpiresByType image/gif “access plus 518400 seconds”
ExpiresByType image/jpeg “access plus 518400 seconds”
ExpiresByType image/png “access plus 518400 seconds”
ExpiresByType text/css “access plus 518400 seconds”
ExpiresByType text/javascript “access plus 216000 seconds”
ExpiresByType application/x-javascript “access plus 216000 seconds”

# Cache specified files for 6 days

Header set Cache-Control “max-age=518400, public”

# Cache HTML files for a couple hours

Header set Cache-Control “max-age=7200, private, must-revalidate”

# Cache PDFs for a day

Header set Cache-Control “max-age=86400, public”

# Cache Javascripts for 2.5 days

Header set Cache-Control “max-age=216000, private”