Commit Graph

77 Commits (master)

Author SHA1 Message Date
Aleksander Machniak f0f6234a1a Use merge instead of append (#7341) 5 years ago
Aleksander Machniak 186f21c4c1 Avoid Referer leaking by using Referrer-Policy:same-origin header (#6385)
Added 'common_headers' hook
6 years ago
Rotzbua d8e1d11b8f Fix tiny typo (#6407) 6 years ago
Aleksander Machniak c0b9025215 Remove sample PHP configuration from .htaccess and .user.ini files (#5850)
Moved to https://github.com/roundcube/roundcubemail/wiki/Installation#php-configuration
7 years ago
Aleksander Machniak adf9ec4962 Simplify some rewrite rules 7 years ago
Rotzbua 8bd55ea549 [security] deny access to composer.lock (#6117) 7 years ago
Aleksander Machniak 528e82f6c5 There's no Dockerfile file anymore 7 years ago
James White b9687ca345 Fix typos on optional security header comment (#6036) 7 years ago
Aleksander Machniak b9b14e4532 Use .log suffix also in .htaccess/.user.ini 7 years ago
Aleksander Machniak 364e887b32 Add rewrite rule to disable access to /vendor/bin folder in .htaccess (#5630) 8 years ago
Aleksander Machniak 20da7f1539 Copy jsdeps.json file on update (#5598) 8 years ago
Aleksander Machniak cce4994b97 Control search engine crawlers via X-Robots-Tag header instead of <meta> and robots.txt (#5098)
This gives one central place to control these settings and really
makes the page will not be listed in Google search results.
8 years ago
Aleksander Machniak 30668879b0 Use SymLinksIfOwnerMatch in .htaccess instead of FollowSymLinks disabled on some hosts for security reasons (#5370) 8 years ago
Aleksander Machniak c3fc072d97 Remove code related to magic_quotes_* and register_globals
...they do not exist in PHP 5.4 which we now require.
8 years ago
Aleksander Machniak e71de17602 Add note about need for module name change in IfModule when using PHP7 (#5249) 9 years ago
Aleksander Machniak 614f4413ae Remove useless directives 9 years ago
Aleksander Machniak bf19fe2d1a Move commented mod_headers settings to the end of the file 9 years ago
Rotzbua 7b4f71777e add optional security header to .htaccess
actually most widely used optional header
all options only commented, they should be adusted to your intallation /
user environment
9 years ago
Aleksander Machniak 1c2aad89ab Fix .htaccess rewrite rules to not block .well-known URIs (#1490615) 9 years ago
Aleksander Machniak 26086981a2 Improve randomness of security tokens (#1490529) 9 years ago
Aleksander Machniak 348c53b136 Add example of setting CSP's no-referer policy 9 years ago
Aleksander Machniak e2bceaefe6 Support more secure hashing algorithms for auth cookie - configurable by PHP's session.hash_function (#1490403) 9 years ago
Aleksander Machniak 0b9b9f63b5 Enable FollowSymLinks option in .htaccess file which is required by rewrite rules (#1490255) 10 years ago
Raoul Bhatia fd0583a846 Explicitly deny access to newly created "Dockerfile" 10 years ago
Aleksander Machniak 681ba6fc3c Improve system security by using optional special URL with security token
Allows to define separate server/path for image/js/css files
Fix bugs where CSRF attacks were still possible on some requests
10 years ago
Aleksander Machniak 6b7e06620d Remove zend.ze1_compatibility_mode checks, it does not exist in PHP >= 5.3 10 years ago
Aleksander Machniak 93e12fa414 Support upload progress with session.upload_progress and PECL uploadprogress module (#1488702) 11 years ago
Aleksander Machniak 4c7a980aaa Convert tabs to spaces 11 years ago
Aleksander Machniak 0314bff278 Set register_globals=off in .htaccess file and add note to INSTALL 11 years ago
Aleksander Machniak 2dade15d83 Fix security rules in .htaccess preventing access to base URL without the ending slash (#1489477) 11 years ago
Aleksander Machniak 88934b6132 Keep all security rules in one place, support Apache 2.4 syntax 11 years ago
Raoul Bhatia cb3ea1443e Deny access to all files not containing a . (dot) to block access to different README, ChangeLog, etc. files of various skins and plugins.
Do not check case for default README/INSTALL/LICENE files.
11 years ago
Aleksander Machniak 1c51d16eb3 - Fix rewrite rule in .htaccess (#1489240) 11 years ago
Dennis1993 0009bd8e6c Update .htaccess
Delete a bugfix for PHP4, because the current version requires at least PHP 5.2.1. The case thus never occurs.
12 years ago
Thomas Bruederli 3568c7c04b Fix rewrite rule to actually prevent access to bin/ and SQL/ directories 12 years ago
Raoul Bhatia 5422e6d5ae prevent access to UPGRADING via .htaccess 12 years ago
Thomas Bruederli aff970b5d3 Replace some forgotten references to skins/default (#1488591) 12 years ago
Raoul Bhatia b332e799b4 improve .htaccess security rules:
1. also prevent access to .gitignore
2. make the second security rule work as expected
3. include README.md in security rules
13 years ago
Antoine Catton a93f39a8f2 Replace directory .svn/ by .git/ in security rules 13 years ago
alecpl 57d15d5023 - Escape dot in regexp (#1488357) 13 years ago
alecpl 5e8c7729fb - Add ifModule statement for setting Options -Indexes in .htaccess file (#1488274) 13 years ago
alecpl 4b1d5d6e38 Improve .htaccess rules to make it less easy to fingerprint roundcube version
by denying access to files and stoping directory indexes (#1484066)
14 years ago
thomascube 29640bcfa9 Add (inactive) session.cookie_path line to .htaccess as suggested in #1486456 15 years ago
alecpl 6d479a622b - remove set_magic_quotes_runtime() call, use set_time_limit() with @ (#1486149) 15 years ago
till 832890135c * using php_flag to turn it off (instead of php_value) 15 years ago
thomascube 4b20e28718 Don't set php_value error_log in .htaccess by default 15 years ago
thomascube 49c71c7981 Remove access control from .htaccess 16 years ago
thomascube 2f14293716 Use filemtime for cache busting + better etag for static files 16 years ago
alecpl 80a36b53ad - disable zlib.output_compression in default config 16 years ago
alecpl d51c93b43e - get rid of some hardcoded action names and move decission about output compression to the user 16 years ago