Aleksander Machniak
|
f0f6234a1a
|
Use merge instead of append (#7341)
|
5 years ago |
Aleksander Machniak
|
186f21c4c1
|
Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
Added 'common_headers' hook
|
6 years ago |
Rotzbua
|
d8e1d11b8f
|
Fix tiny typo (#6407)
|
6 years ago |
Aleksander Machniak
|
c0b9025215
|
Remove sample PHP configuration from .htaccess and .user.ini files (#5850)
Moved to https://github.com/roundcube/roundcubemail/wiki/Installation#php-configuration
|
7 years ago |
Aleksander Machniak
|
adf9ec4962
|
Simplify some rewrite rules
|
7 years ago |
Rotzbua
|
8bd55ea549
|
[security] deny access to composer.lock (#6117)
|
7 years ago |
Aleksander Machniak
|
528e82f6c5
|
There's no Dockerfile file anymore
|
7 years ago |
James White
|
b9687ca345
|
Fix typos on optional security header comment (#6036)
|
7 years ago |
Aleksander Machniak
|
b9b14e4532
|
Use .log suffix also in .htaccess/.user.ini
|
7 years ago |
Aleksander Machniak
|
364e887b32
|
Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630)
|
8 years ago |
Aleksander Machniak
|
20da7f1539
|
Copy jsdeps.json file on update (#5598)
|
8 years ago |
Aleksander Machniak
|
cce4994b97
|
Control search engine crawlers via X-Robots-Tag header instead of <meta> and robots.txt (#5098)
This gives one central place to control these settings and really
makes the page will not be listed in Google search results.
|
8 years ago |
Aleksander Machniak
|
30668879b0
|
Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370)
|
8 years ago |
Aleksander Machniak
|
c3fc072d97
|
Remove code related to magic_quotes_* and register_globals
...they do not exist in PHP 5.4 which we now require.
|
8 years ago |
Aleksander Machniak
|
e71de17602
|
Add note about need for module name change in IfModule when using PHP7 (#5249)
|
9 years ago |
Aleksander Machniak
|
614f4413ae
|
Remove useless directives
|
9 years ago |
Aleksander Machniak
|
bf19fe2d1a
|
Move commented mod_headers settings to the end of the file
|
9 years ago |
Rotzbua
|
7b4f71777e
|
add optional security header to .htaccess
actually most widely used optional header
all options only commented, they should be adusted to your intallation /
user environment
|
9 years ago |
Aleksander Machniak
|
1c2aad89ab
|
Fix .htaccess rewrite rules to not block .well-known URIs (#1490615)
|
9 years ago |
Aleksander Machniak
|
26086981a2
|
Improve randomness of security tokens (#1490529)
|
9 years ago |
Aleksander Machniak
|
348c53b136
|
Add example of setting CSP's no-referer policy
|
9 years ago |
Aleksander Machniak
|
e2bceaefe6
|
Support more secure hashing algorithms for auth cookie - configurable by PHP's session.hash_function (#1490403)
|
9 years ago |
Aleksander Machniak
|
0b9b9f63b5
|
Enable FollowSymLinks option in .htaccess file which is required by rewrite rules (#1490255)
|
10 years ago |
Raoul Bhatia
|
fd0583a846
|
Explicitly deny access to newly created "Dockerfile"
|
10 years ago |
Aleksander Machniak
|
681ba6fc3c
|
Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files
Fix bugs where CSRF attacks were still possible on some requests
|
10 years ago |
Aleksander Machniak
|
6b7e06620d
|
Remove zend.ze1_compatibility_mode checks, it does not exist in PHP >= 5.3
|
10 years ago |
Aleksander Machniak
|
93e12fa414
|
Support upload progress with session.upload_progress and PECL uploadprogress module (#1488702)
|
11 years ago |
Aleksander Machniak
|
4c7a980aaa
|
Convert tabs to spaces
|
11 years ago |
Aleksander Machniak
|
0314bff278
|
Set register_globals=off in .htaccess file and add note to INSTALL
|
11 years ago |
Aleksander Machniak
|
2dade15d83
|
Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477)
|
11 years ago |
Aleksander Machniak
|
88934b6132
|
Keep all security rules in one place, support Apache 2.4 syntax
|
11 years ago |
Raoul Bhatia
|
cb3ea1443e
|
Deny access to all files not containing a . (dot) to block access to different README, ChangeLog, etc. files of various skins and plugins.
Do not check case for default README/INSTALL/LICENE files.
|
11 years ago |
Aleksander Machniak
|
1c51d16eb3
|
- Fix rewrite rule in .htaccess (#1489240)
|
11 years ago |
Dennis1993
|
0009bd8e6c
|
Update .htaccess
Delete a bugfix for PHP4, because the current version requires at least PHP 5.2.1. The case thus never occurs.
|
12 years ago |
Thomas Bruederli
|
3568c7c04b
|
Fix rewrite rule to actually prevent access to bin/ and SQL/ directories
|
12 years ago |
Raoul Bhatia
|
5422e6d5ae
|
prevent access to UPGRADING via .htaccess
|
12 years ago |
Thomas Bruederli
|
aff970b5d3
|
Replace some forgotten references to skins/default (#1488591)
|
12 years ago |
Raoul Bhatia
|
b332e799b4
|
improve .htaccess security rules:
1. also prevent access to .gitignore
2. make the second security rule work as expected
3. include README.md in security rules
|
13 years ago |
Antoine Catton
|
a93f39a8f2
|
Replace directory .svn/ by .git/ in security rules
|
13 years ago |
alecpl
|
57d15d5023
|
- Escape dot in regexp (#1488357)
|
13 years ago |
alecpl
|
5e8c7729fb
|
- Add ifModule statement for setting Options -Indexes in .htaccess file (#1488274)
|
13 years ago |
alecpl
|
4b1d5d6e38
|
Improve .htaccess rules to make it less easy to fingerprint roundcube version
by denying access to files and stoping directory indexes (#1484066)
|
14 years ago |
thomascube
|
29640bcfa9
|
Add (inactive) session.cookie_path line to .htaccess as suggested in #1486456
|
15 years ago |
alecpl
|
6d479a622b
|
- remove set_magic_quotes_runtime() call, use set_time_limit() with @ (#1486149)
|
15 years ago |
till
|
832890135c
|
* using php_flag to turn it off (instead of php_value)
|
15 years ago |
thomascube
|
4b20e28718
|
Don't set php_value error_log in .htaccess by default
|
15 years ago |
thomascube
|
49c71c7981
|
Remove access control from .htaccess
|
16 years ago |
thomascube
|
2f14293716
|
Use filemtime for cache busting + better etag for static files
|
16 years ago |
alecpl
|
80a36b53ad
|
- disable zlib.output_compression in default config
|
16 years ago |
alecpl
|
d51c93b43e
|
- get rid of some hardcoded action names and move decission about output compression to the user
|
16 years ago |