Updated content

2026-02-24 20:26:00 +01:00 · 2026-02-24 20:26:00 +01:00 · f0564e87ee
commit f0564e87ee
parent 49a34d9d0a 3b04a3d78c
6 changed files with 121 additions and 2 deletions
--- a/content/.htaccess
+++ b/content/.htaccess
@ -1,9 +1,31 @@
 DirectorySlash Off

+# Block direct access to content source files
+<FilesMatch "\.(ini|md|html|php)$">
+    # Allow only the entry point
+    <If "%{REQUEST_URI} != '/index.php'">
+        Require all denied
+    </If>
+</FilesMatch>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "DENY"
+    Header set Referrer-Policy "strict-origin-when-cross-origin"
+    Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
+    Header unset X-Powered-By
+    Header always unset X-Powered-By
+</IfModule>
+
+# Restrict HTTP methods to GET, POST, HEAD
 <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

+    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$ [NC]
+    RewriteRule .* - [F,L]
+
    # Route /app requests to index.php
    RewriteCond %{REQUEST_URI} ^/app/
    RewriteRule ^(.*)$ /index.php [L,QSA]
--- a/content/.htaccess.base
+++ b/content/.htaccess.base
@ -1,9 +1,31 @@
 DirectorySlash Off

+# Block direct access to content source files
+<FilesMatch "\.(ini|md|html|php)$">
+    # Allow only the entry point
+    <If "%{REQUEST_URI} != '/index.php'">
+        Require all denied
+    </If>
+</FilesMatch>
+
+# Security headers
+<IfModule mod_headers.c>
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "DENY"
+    Header set Referrer-Policy "strict-origin-when-cross-origin"
+    Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"
+    Header unset X-Powered-By
+    Header always unset X-Powered-By
+</IfModule>
+
+# Restrict HTTP methods to GET, POST, HEAD
 <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

+    RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)$ [NC]
+    RewriteRule .* - [F,L]
+
    # Route /app requests to index.php
    RewriteCond %{REQUEST_URI} ^/app/
    RewriteRule ^(.*)$ /index.php [L,QSA]
--- a/content/index.php
+++ b/content/index.php
@ -5,5 +5,12 @@ if (str_starts_with($_SERVER['REQUEST_URI'], '/app/')) {
    exit;
 }

+// Harden session cookie before any session starts
+ini_set('session.cookie_httponly', '1');
+ini_set('session.cookie_samesite', 'Lax');
+if (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') {
+    ini_set('session.cookie_secure', '1');
+}
+
 // All other requests go to router
 require __DIR__ . '/../app/router.php';