Add secure public directory structure with .htaccess

- Created public/ directory for web-accessible files - Moved content and assets to public/ subdirectories - Added .htaccess files for security and routing - Updated config.php to use public/content path - Blocked direct access to PHP files and sensitive directories - Added URL routing to index.php - Enhanced security headers and PHP settings
2025-11-19 14:00:03 +01:00
parent bd0f6ecbfc
commit 2e5672ee60
12 changed files with 381 additions and 6 deletions
--- a/public/.htaccess
+++ b/public/.htaccess
@@ -0,0 +1,76 @@
+# Security - Block access to sensitive files and directories
+<Files ~ "^\.">
+    Order allow,deny
+    Deny from all
+</Files>
+
+<FilesMatch "\.(php|ini|log|conf|config)$">
+    Order allow,deny
+    Deny from all
+</FilesMatch>
+
+# Block access to core directories
+<IfModule mod_authz_core.c>
+    <RequireAll>
+        Require all granted
+        <RequireNone>
+            Require all denied
+        </RequireNone>
+    </RequireAll>
+</IfModule>
+
+# Directory protection
+<Directory ~ "^\.|/(config|templates|vendor|cache)/">
+    Order allow,deny
+    Deny from all
+</Directory>
+
+# URL Routing - Route all requests to index.php
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    
+    # Set base directory
+    RewriteBase /
+    
+    # Block direct access to PHP files in content directory
+    RewriteRule ^content/.*\.php$ - [F,L]
+    
+    # Route all non-file/non-directory requests to index.php
+    RewriteCond %{REQUEST_FILENAME} !-f
+    RewriteCond %{REQUEST_FILENAME} !-d
+    RewriteRule ^(.*)$ index.php [QSA,L]
+    
+    # Allow access to assets
+    RewriteCond %{REQUEST_FILENAME} -f
+    RewriteRule ^assets/.*$ - [L]
+    
+    # Allow access to content files (except PHP)
+    RewriteCond %{REQUEST_FILENAME} -f
+    RewriteCond %{REQUEST_FILENAME} !\.php$
+    RewriteRule ^content/.*$ - [L]
+</IfModule>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header always set X-Content-Type-Options nosniff
+    Header always set X-Frame-Options DENY
+    Header always set X-XSS-Protection "1; mode=block"
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+</IfModule>
+
+# PHP settings
+<IfModule mod_php.c>
+    php_flag display_errors Off
+    php_flag log_errors On
+    php_value error_log /var/log/php_errors.log
+    php_value max_execution_time 30
+    php_value memory_limit 128M
+    php_value upload_max_filesize 10M
+    php_value post_max_size 10M
+</IfModule>
+
+# Default index file
+DirectoryIndex index.php
+
+# Error handling
+ErrorDocument 404 /index.php