From: VirtualTam <virtualtam@flibidi.net>
Date: Sat, 20 Jan 2018 15:20:53 +0000 (+0100)
Subject: htaccess: prevent accessing resources not managed by SCM
X-Git-Tag: v0.9.6~2
X-Git-Url: https://git.immae.eu/?p=github%2Fshaarli%2FShaarli.git;a=commitdiff_plain;h=4c2f51256f2c914a10c0c7aa59311c5862d2a480

htaccess: prevent accessing resources not managed by SCM

See:
- https://en.internetwache.org/dont-publicly-expose-git-or-how-we-downloaded-your-websites-sourcecode-an-analysis-of-alexas-1m-28-07-2015/
- https://stackoverflow.com/questions/2530372/how-do-i-disable-directory-browsing
- https://httpd.apache.org/docs/current/mod/mod_rewrite.html

Signed-off-by: VirtualTam <virtualtam@flibidi.net>
---

diff --git a/.htaccess b/.htaccess
index 66ef8f69..19dd72a8 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,4 +1,12 @@
+# Disable directory listing
+Options -Indexes
+
 RewriteEngine On
+
+# Prevent accessing subdirectories not managed by SCM
+RewriteRule ^(.git|doxygen|vendor) - [F]
+
+# REST API
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule ^ index.php [QSA,L]