# ----------------------------- # 1) Prevent directory listings # ----------------------------- Options -Indexes # ----------------------------- # Default index files # ----------------------------- DirectoryIndex index.html # ----------------------------- # Deny access to hidden files # ----------------------------- Require all denied Require valid-user # ----------------------------- # Enforce HTTPS (optional) # ----------------------------- RewriteEngine On #RewriteCond %{HTTPS} off #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # Allow requests from a specific origin #Header set Access-Control-Allow-Origin "https://demo.filerise.net" Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, X-CSRF-Token" Header set Access-Control-Allow-Credentials "true" # Prevent clickjacking Header always set X-Frame-Options "SAMEORIGIN" # Block XSS Header always set X-XSS-Protection "1; mode=block" # No MIME sniffing Header always set X-Content-Type-Options "nosniff" # HTML: always revalidate Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "0" # JS/CSS: short‑term cache, revalidate regularly Header set Cache-Control "public, max-age=3600, must-revalidate" # ----------------------------- # Additional Security Headers # ----------------------------- # Enforce HTTPS for a year with subdomains and preload option. Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Set a Referrer Policy. Header always set Referrer-Policy "strict-origin-when-cross-origin" # Permissions Policy: disable features you don't need. Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" # IE-specific header to prevent downloads from opening in IE. Header always set X-Download-Options "noopen" # Expect-CT header for Certificate Transparency (optional). Header always set Expect-CT "max-age=86400, enforce" # ----------------------------- # Disable TRACE method # ----------------------------- RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]