PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-07 03:29:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
780105eec02505972a3b315e87d799395b6531a9
xamxam/nginx/docs/HTACCESS_TO_NGINX.md
Pontoporeia 507f3eb704 Consolidate nginx docs and scripts, update paths
2026-04-15 14:24:44 +02:00

2.3 KiB
Raw Blame History

.htaccess → nginx migration

Problem: public/admin/.htaccess contained Apache-specific security directives that nginx silently ignores. None of the rules were active in production.

Status: Migrated into nginx/posterg.conf

Rules migrated into nginx/posterg.conf

Apache .htaccess rule nginx equivalent Location
Header always set X-Frame-Options "SAMEORIGIN" add_header X-Frame-Options "SAMEORIGIN" always; main server block (already present)
Header always set X-Content-Type-Options "nosniff" add_header X-Content-Type-Options "nosniff" always; main server block (already present)
Header always set X-XSS-Protection "1; mode=block" Intentionally omitted — deprecated & counterproductive; see SECURITY_HEADERS.md
Header always set Referrer-Policy "strict-origin-when-cross-origin" add_header Referrer-Policy "strict-origin-when-cross-origin" always; main server block (already present)
Header always set Content-Security-Policy "..." add_header Content-Security-Policy "..." always; /admin/ location block (added)
Options -Indexes autoindex off; /admin/ location block (added; nginx default is off, explicit for clarity)
<FilesMatch "^\."> Require all denied location ~ /\.(?!well-known).* deny main server block (already present)
<FilesMatch "(composer\.(json|lock)|error\.log)$"> Require all denied location ~* \.(md|txt|sql|sh|json|gitignore)$ deny + location ~* \.log$ deny main server block (log rule added)
php_flag display_errors Off Handled by config/bootstrap.php (ini_set('display_errors', '0')) PHP
php_flag log_errors On Handled by config/bootstrap.php (ini_set('log_errors', '1')) PHP
php_value error_log error.log Handled by config/bootstrap.php; should use absolute path (item #9) PHP

Status of public/admin/.htaccess

The file is now dead code on this nginx server. It has been left in place (harmless) so it would still work if the project were ever tested behind Apache (e.g., php -S built-in server doesn't read it either). All security rules it previously attempted to set are now enforced by nginx directly.

Added: 2026-02-08 — security item #6

Reference in New Issue View Git Blame Copy Permalink