Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2025-09-25 06:44:01

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,300
Website GitHub Mastodon Twitter

Revisiting the htaccess

The recent attacks on our site, forced me to look at the htaccess file which I have been maintaining, admittedly badly, for the past 20 years.

Since our host upgraded to Apache 2.4 some of the directives were outdated. So, I’ve spent a couple of days not only to update it to the new Apache rules but also to optimise the file which resulted in my trimming it from 340 to 195 lines or even fewer when the commented out directives will eventually be deleted! Part of those edits included the deletion of bad referrer ips I used to have blocked, but also the optimisation of many multi-line directives into one line.

In any case, the file can be found on github


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#2 2025-09-25 16:04:16

skewray
Member
From: Sunny Southern California
Registered: 2013-04-25
Posts: 266
Website Mastodon

Re: Revisiting the htaccess

Don’t forget to run your bag of .htaccess typos through https://htaccesscheck.com before tossing it at your site.

Offline

#3 2025-09-26 04:34:42

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,300
Website GitHub Mastodon Twitter

Re: Revisiting the htaccess

skewray wrote #340655:

Don’t forget to run your bag of .htaccess typos through https://htaccesscheck.com before tossing it at your site.

Thanks! All checks fine.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#4 2025-09-26 10:08:46

phiw13
Plugin Author
From: South-Western Japan
Registered: 2004-02-27
Posts: 3,481
Website

Re: Revisiting the htaccess

Thanks for sharing. Some good tidbits there.

Do you really need all that 'unsafe-eval' in your CSP block.That wounds potentially dangerous.

Also note, Header set X-XSS-Protection "1; mode=block" is deprecated and not recommended anymore (see MDN) – Browser have build in filters and CSP directives can be used for further protection. But it might still be useful for really(?) old browsers. Lots of articles about using CSP for XSS protection


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg

Offline

#5 2025-09-26 14:49:16

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,300
Website GitHub Mastodon Twitter

Re: Revisiting the htaccess

phiw13 wrote #340660:

Thanks for sharing. Some good tidbits there.

Do you really need all that 'unsafe-eval' in your CSP block.That wounds potentially dangerous.

The only other way is to use unique nonce keys which I’m not sure to go about those. I read the literature on the net but admittedly I have a block regarding my understanding about this.

Also note, Header set X-XSS-Protection "1; mode=block" is deprecated and not recommended anymore (see MDN) – Browser have build in filters and CSP directives can be used for further protection. But it might still be useful for really(?) old browsers. Lots of articles about using CSP for XSS protection

Indeed. Updated


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#6 2025-09-27 09:22:32

phiw13
Plugin Author
From: South-Western Japan
Registered: 2004-02-27
Posts: 3,481
Website

Re: Revisiting the htaccess

colak wrote #340666:

The only other way is to use unique nonce keys which I’m not sure to go about those. I read the literature on the net but admittedly I have a block regarding my understanding about this.

You could drop the ‘unsafe-eval’, only use ‘unsafe-inline’ (for script-src / script-src-elem and style-src / style-src-elem). No other directive needs it.

Here is a basic CSP-policy for a little static site (I don’t use YT / Vimeo / Bandcamp/… so I have no need to cover them)

Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; frame-src 'none'; img-src data: 'self'; manifest-src 'self'; media-src data: 'self'; object-src 'none'; script-src 'self'; script-src-elem 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; style-src-elem 'self' 'unsafe-inline'; style-src-attr 'none';"

Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg

Offline

#7 2025-09-27 13:41:21

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,300
Website GitHub Mastodon Twitter

Re: Revisiting the htaccess

phiw13 wrote #340688:

You could drop the ‘unsafe-eval’, …

Wouldn’t this also block <txp:evaluate />?


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#8 2025-09-27 13:57:31

phiw13
Plugin Author
From: South-Western Japan
Registered: 2004-02-27
Posts: 3,481
Website

Re: Revisiting the htaccess

colak wrote #340697:

Wouldn’t this also block <txp:evaluate />?

It doesn’t. I used a CSP policy similar to that sample above for Textpattern site without any problem.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg

Offline

#9 2025-09-27 14:22:32

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,300
Website GitHub Mastodon Twitter

Re: Revisiting the htaccess

phiw13 wrote #340698:

It doesn’t. I used a CSP policy similar to that sample above for Textpattern site without any problem.

Thanks!! I took it out and will start testing


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#10 2025-09-27 15:53:05

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 5,035
Website GitHub

Re: Revisiting the htaccess

colak wrote #340666:

The only other way is to use unique nonce keys which I’m not sure to go about those. I read the literature on the net but admittedly I have a block regarding my understanding about this.

If you’re referring to a unique nonce per page access (as opposed to each linked or embedded snippet), then Stef’s smd_token goes a long way to making this easier. See also this GitHub issue. For your own site, you can probably get away with this as you know have CSP directives set up. For a theme, one would need to first determine whether CSP headers are set and only then output the nonce.


TXP Builders – finely-crafted code, design and txp

Offline

#11 2025-09-28 02:49:01

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,300
Website GitHub Mastodon Twitter

Re: Revisiting the htaccess

jakob wrote #340706:

If you’re referring to a unique nonce per page access (as opposed to each linked or embedded snippet), then Stef’s smd_token goes a long way to making this easier. See also this GitHub issue. For your own site, you can probably get away with this as you know have CSP directives set up. For a theme, one would need to first determine whether CSP headers are set and only then output the nonce.

Thanks so much Julian, but I’ll also need to get API keys and nounces from youtube, vimeo and others in order to remove all ‘unsafe’ directives. I’m procrastinating because of this.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#12 2025-09-28 03:12:02

phiw13
Plugin Author
From: South-Western Japan
Registered: 2004-02-27
Posts: 3,481
Website

Re: Revisiting the htaccess

colak wrote #340723:

Thanks so much Julian, but I’ll also need to get API keys and nounces from youtube, vimeo and others in order to remove all ‘unsafe’ directives. I’m procrastinating because of this.

I don’t think so: My age-old test site uses the plugin mentioned by Julian to generate a nonce and set a strict CSP policy. Here is a test page1 with a Bandcamp audio and a YT(nocookies) video: emps.l-c-n.com/tests/inserting-an-embeded-video-or-audio-iframe. View the page source to see the presence of the nonce on each resource: script, stylesheet.

My CSP header is included (inserted first thing on each page template).

For Bandcamp you have to remove the inline style they add to their code abd style the iframe yourself ( it is only border, width and height).

–^–

1 The page will disappear in a week or so…

Last edited by phiw13 (2025-09-28 03:18:45)


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern
phiw13 on Codeberg

Offline

Board footer

Powered by FluxBB