Add security hardening for shared hosting environments

Improve session cookie security with HttpOnly and SameSite attributes Add security headers via .htaccess Block direct access to sensitive files Restrict allowed HTTP methods Document cPanel-specific security configuration Add container hardening for ServerTokens and ServerSignature
2026-02-10 23:02:57 +01:00 · 2026-02-10 23:02:57 +01:00 · 3b04a3d78c
commit 3b04a3d78c
parent f2dc4ec647
6 changed files with 121 additions and 2 deletions
--- a/content/.htaccess
+++ b/content/.htaccess
@ -1,9 +1,31 @@
 DirectorySlash Off

+# Block direct access to content source files
+<FilesMatch "\.(ini|md|html|php)$">
+    # Allow only the entry point
+    <If "%{REQUEST_URI} != '/index.php'">
+        Require all denied
+    </If>
+</FilesMatch>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "DENY"
+    Header set Referrer-Policy "strict-origin-when-cross-origin"
+    Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
+    Header unset X-Powered-By
+    Header always unset X-Powered-By
+</IfModule>
+
+# Restrict HTTP methods to GET, POST, HEAD
 <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

+    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$ [NC]
+    RewriteRule .* - [F,L]
+
    # Route /app requests to index.php
    RewriteCond %{REQUEST_URI} ^/app/
    RewriteRule ^(.*)$ /index.php [L,QSA]
--- a/content/.htaccess.base
+++ b/content/.htaccess.base
@ -1,9 +1,31 @@
 DirectorySlash Off

+# Block direct access to content source files
+<FilesMatch "\.(ini|md|html|php)$">
+    # Allow only the entry point
+    <If "%{REQUEST_URI} != '/index.php'">
+        Require all denied
+    </If>
+</FilesMatch>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "DENY"
+    Header set Referrer-Policy "strict-origin-when-cross-origin"
+    Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
+    Header unset X-Powered-By
+    Header always unset X-Powered-By
+</IfModule>
+
+# Restrict HTTP methods to GET, POST, HEAD
 <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

+    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$ [NC]
+    RewriteRule .* - [F,L]
+
    # Route /app requests to index.php
    RewriteCond %{REQUEST_URI} ^/app/
    RewriteRule ^(.*)$ /index.php [L,QSA]
--- a/content/index.php
+++ b/content/index.php
@ -5,5 +5,12 @@ if (str_starts_with($_SERVER['REQUEST_URI'], '/app/')) {
    exit;
 }

+// Harden session cookie before any session starts
+ini_set('session.cookie_httponly', '1');
+ini_set('session.cookie_samesite', 'Lax');
+if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+    ini_set('session.cookie_secure', '1');
+}
+
 // All other requests go to router
 require __DIR__ . '/../app/router.php';