Started by keiron, Jul 31, 2022, 09:36 AM

Previous topic - Next topic

keironTopic starter

Hello everyone!

I am seeking advice on configuring my .htaccess file for a completely static website. My goal is to increase its security as much as possible.

Are there any recommended templates with basic settings such as redirects and access rights? As the website is static, I want to disable and prohibit anything that is not essential for its functioning (such as executing server scripts).

Any advice would be greatly appreciated! :)


Can you provide examples of the threats that you want to protect your website from?

The notion of "tested templates with basic customization" is similar to a standard sales agreement. In general, there might not be anything fitting but there certainly will be a flaw that applies to your specific situation.

If the website is truly static (and you are confident about it), then making use of .htaccess will not enhance its security in any meaningful way.

Please refer to the following page for more information: https://www.cisecurity.org/benchmark/apache_http_server/


.htaccess is an extra configuration file for servers such as Apache. It enables users to establish additional parameters and permissions for the operation of the web server on individual user folders or directories, without granting access to the main configuration file. This means that the entire service will not be affected.

The .htaccess file can be placed in any directory on the website, with its directives applying to every file in the directory and its subdirectories. Directives within the .htaccess file provide users with a wide range of options for configuring their website, including simple redirection directives.

The Redirect directive is one of the most frequently used and complex directives in .htaccess. It redirects users to another URL when they request the site. To use this feature, the user needs to add a .htaccess file to the root directory of the site with the necessary content.
 The syntax of the Redirect command includes an optional field for status that defines return code, URI_LOCAL, which indicates the local part of the URL of the requested document, and URL_REDIRECT, which specifies the URL where the redirect will take place.

RedirectMatch is another directive similar to Redirect but allows the use of regular expressions. This is useful when transferring parameters to a script in the URL body. While this example may cause the page to reload, it can be improved later. Regular expressions can include all printable characters and space, with special symbols such as parentheses, ^, $, ., |, ?, *, +, [], [^], \, and # serving different functions.


When it comes to configuring your .htaccess file for a static website, there are a few recommendations you can follow to increase its security and disable unnecessary functionality. Here's a basic template you can use:

# Disable directory browsing
Options -Indexes

# Disable server-side includes
Options -Includes

# Disable server-side scripts
RemoveHandler .php .cgi .pl .py .jsp .asp .htm .shtml .sh .cgi

# Deny access to specific file types
<FilesMatch "(.htaccess|\.xml|\.txt|\.md|\.json)">
  Order deny,allow
  Deny from all

# Disable server signature
ServerSignature Off

# Redirect non-www to www (optional)
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [L,R=301]

# Force HTTPS (optional, requires SSL certificate)
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [L,R=301]

This template includes basic settings to disable directory browsing, server-side includes, and server-side scripts. It also denies access to sensitive files like .htaccess, .xml, .txt, .md, and .json. Additionally, it disables the server signature to prevent disclosing server information.

There are a couple of optional settings you can include as well. The first one is redirecting non-www to www, which can help with SEO and branding consistency. The second one is forcing HTTPS, but this requires an SSL certificate.

Here are a few more tips to increase the security of your static website by further configuring your .htaccess file:

1. Limit access to specific IP addresses: If you have a known set of IP addresses that should have access to your website, you can add the following code to restrict access to only those IPs:

order deny,allow
deny from all
allow from 123.456.789.0

Replace `123.456.789.0` with the actual IP address you want to allow access from. You can repeat this line for each IP address.

2. Enable hotlink protection: Prevent others from directly linking to your website's content by using the following code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

This code blocks hotlinking for image files (jpg, jpeg, png, gif) from any website other than yours. Make sure to replace `yourdomain.com` with your actual domain name.

3. Protect important files: You can add another layer of security by preventing direct access to sensitive files like .htaccess and .htpasswd. Add the following code to your .htaccess file:

<FilesMatch "(.htaccess|\.htpasswd)">
    Order deny,allow
    Deny from all

4. Implement caching: By enabling caching for static files, you can improve website performance and reduce server load. Add the following code to your .htaccess file:

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 1 month"

This code sets the expiration time for static files to 1 month. You can adjust it as per your needs.