Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update .htaccess for better security and caching #1900

Merged
merged 3 commits into from
Apr 1, 2019
Merged

Update .htaccess for better security and caching #1900

merged 3 commits into from
Apr 1, 2019

Conversation

atishhamte
Copy link
Contributor

Update .htaccess for better security and caching

Added a few points like,

  • Disable directory access
  • CORS setting
  • Disable image hotlinking
  • Disable server signature
  • mod expires for caching
  • Added GZip and DEFLATE types

Checklist:

  • Securely signed commits
  • Conforms to style guide

@atishhamte atishhamte changed the title Update .htaccess for better security and caching Update .htaccess for better security and caching Mar 30, 2019
@lonnieezell lonnieezell merged commit 11d527a into codeigniter4:develop Apr 1, 2019
@msaladna
Copy link

msaladna commented Apr 15, 2019

This PR needs a rework. htaccess changes should be limited to what's necessary for the application to work as intended. Anything extraneous needs to be the discretion of the person managing the server, including hotlinking - not the application that should be as neutral as possible.

For example, Options All implies all options are enabled, including +FollowSymLinks and +SymLinksIfOwnerMatches. Not all platforms permit +FollowSymLinks because in multi-user environments it can lead to some really nasty side-channel attacks with linking index.foo to say config.php where index.foo is the web user, config.php is the system user. Enabling such a directive in a secure environments yields a 550 ISE.

Edit: a nastier example is when mod_includes is loaded, default with CentOS/RHEL 7+ at least. You can use SSI to side-step +SymLinksIfOwnerMatches using <!--#include virtual="victim" --> where victim is a symlink to another file on the filesystem. Only discretionary access controls restrict access.

ServerSignature should be deferred to the admin configuring the server. In reverse proxy environments it would be useful to keep this on to see which node in the chain yielded an error.

ExpiresDefault already specifies 1 month as its base. No need to duplicate directives that must be evaluated serially on every request. Keep the htaccess terse if you want maintainability.

AddOutputFilterByType DEFLATE will also take care of compression (and a far better option), but again this should be at the discretion of the global server configuration not the application. No need to also compress with mod_gzip unless you're running < Apache 2.0, but if so you have much bigger problems.

@lonnieezell
Copy link
Member

I believe hotlinking check has been removed. We'd welcome a PR to take care of all of that.

@msaladna
Copy link

Jettison the merge.

This is a framework, not an all-in-one systems management platform. Follow Postel's Law. Do the least that is necessary for CI to work and leave the rest to the user how they want to configure the environment.

  • Do you really want newcomers asking why their svg isn't updating?
  • Do you really need to support IE8?
  • Do you really want CI to behave much differently behind Nginx than Apache?

@Paradinight
Copy link

I would remove the .htaccess file completely. it is not the framework task.
short: we are not wordpress or an other cms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants