#FORCE HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

#TURN SERVER EMAIL SIGNATURE OFF
ServerSignature Off

# EXTRA SECURITY HEADERS
# PROTECT AGAINST XSS ATTACKS
# Protect against XSS attacks
# PROTECT AGAINST PAGE-FRAMING AND CLICK-JACKING
# PROTECT AGAINST CONTENT-SNIFFING
<IfModule mod_headers.c>
	Header set X-XSS-Protection "1; mode=block"
	Header always append X-Frame-Options SAMEORIGIN
	#Header set X-Content-Type-Options nosniff
</IfModule>

# DENY ACCESS TO SPECIAL FILES
<FilesMatch "^(install\.php|setup\.php|config\.php|php\.ini|configuration\.php|\.ftpquota|error_log|\.htpasswds|masterControls\.php|BA\.php|icons\.php|\.htaccess|notes\.txt|.private|.md)">
Order allow,deny
Deny from all
#Allow from 1.2.3.4
</FilesMatch>

# DENY ACCESS TO SPECIFIC FILE TYPES
<FilesMatch "\.(ini|phps|fla|psd|log|sh|txt|lic|swf|avi|flv|mov|ram|rm|dcr|csv|tar|zip|gz|bz2|xml)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# DENY ACCESS TO ALL XML FILES
<Files ~ "\.xml$">
Order allow,deny
Deny from all
Satisfy All
</Files>

# DENY ACCESS TO ALL TEXT FILES
<Files ~ "\.txt$">
Order allow,deny
Deny from all
Satisfy All
</Files>

# COMPRESS FILES
<ifmodule mod_deflate.c="">
<filesmatch ".(js|css|gif|png|jpg|jpeg|html|php)$"="">
SetOutputFilter DEFLATE
</filesmatch>
</ifmodule>

# DENIES ANY REQUEST FOR A URL CONTAINING CHARACTERS OTHER THAN "a-zA-Z0-9.+/-?=&:@" 
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&\:@]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

# DENIES OBVIOUS EXPLOIT USING BOGUS GRAPHICS
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]

# DO NOT LIST FILES AND THROW ERROR 403
Options -Indexes
Options +FollowSymLinks

# DO NOT SERVE CONTENTS OF ANY DREAMWEAVER _NOTES FOLDERS TO A BROWSER
RewriteRule ^(_notes) - [F,L,NC]

#ErrorDocument 400 " "
#ErrorDocument 401 " "
#ErrorDocument 403 " "
#ErrorDocument 404 " "
#ErrorDocument 405 " "
#ErrorDocument 406 " "
#ErrorDocument 407 " "
#ErrorDocument 408 " "
#ErrorDocument 409 " "
#ErrorDocument 410 " "
#ErrorDocument 411 " "
#ErrorDocument 412 " "
#ErrorDocument 413 " "
#ErrorDocument 414 " "
#ErrorDocument 415 " "
#ErrorDocument 416 " "
#ErrorDocument 417 " "
#ErrorDocument 422 " "
#ErrorDocument 423 " "
#ErrorDocument 424 " "
#ErrorDocument 426 " "
#ErrorDocument 500 " "
#ErrorDocument 503 " "

# FORCE RECACHING AFTER 1 DAY
<FilesMatch "\.(js|css)$">
   #Header set Cache-Control "max-age=86400, must-revalidate"
   Header set Cache-Control "no-cache"
</FilesMatch>

#PREVENT SCRIPT INJECTION
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]


#####################################################
# Script: htaccess Security                         #
# Version: 1.0                                      # 
#  ### Changelog ###                                #
# v1.0 - 2012-02-14                                 #
#####################################################

# NO WEB SERVER VERSION AND INDEXES
ServerSignature Off
Options -Indexes

# ENABLE REWRITE ENGINE
RewriteEngine On

# BLOCK SUSPICIOUS REQUEST METHODS
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG|OPTIONS) [NC]
RewriteRule ^(.*)$ - [F,L]

# BLOCK WP TIMTHUMB HACK
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]

# BLOCK SUSPICIOUS USER AGENTS AND REQUESTS
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
# https://secure.rivalhost.com/knowledgebase/1037/htaccess-against-MySQL-injections-and-other-hacks.html
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
#RewriteRule ^(.*)$ - [F,L]

#RewriteEngine on 
#RewriteCond %{REQUEST_FILENAME} !-d 
#RewriteCond %{REQUEST_FILENAME}\.php -f 
#RewriteRule ^(.*)$ $1.php

Options -Indexes

#Alternate default index page
#DirectoryIndex do.php

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php73” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php73 .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
