diff --git a/.gitignore b/.gitignore
index 61d970a274b8dc1a573bf8fd31083ab984197bff..1dc24183ad30092742a351bd094b4ae5573052be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -47,3 +47,4 @@ atlassian*
/var/*
!/var/.htaccess
/vendor
+!/vendor/.htaccess
diff --git a/.htaccess b/.htaccess
index bef5869dd2fdf6a38d9769fee0c8e7ab8d683a2d..13564585ac2274e074728c844aa119b8df9d61a6 100644
--- a/.htaccess
+++ b/.htaccess
@@ -171,13 +171,83 @@
</IfModule>
###########################################
-## Deny access to release notes to prevent disclosure of the installed Magento version
+## Deny access to root files to hide sensitive application information
+ RedirectMatch 404 /\.git
- <Files RELEASE_NOTES.txt>
- Order allow,deny
- Deny from all
+ <Files composer.json>
+ order allow,deny
+ deny from all
</Files>
-############################################
+ <Files composer.lock>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .gitignore>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .htaccess>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .htaccess.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .php_cs>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .travis.yml>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CHANGELOG.md>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CONTRIBUTING.md>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CONTRIBUTOR_LICENSE_AGREEMENT.html>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files COPYING.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files Gruntfile.js>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files LICENSE.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files LICENSE_AFL.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files nginx.conf.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files package.json>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files php.ini.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files README.md>
+ order allow,deny
+ deny from all
+ </Files>
+
+################################
## If running in cluster environment, uncomment this
## http://developer.yahoo.com/performance/rules.html#etags
diff --git a/.htaccess.sample b/.htaccess.sample
index 133ce7de2c59badd5df4a159bb921e8a99f05eb7..891dad19d642b5f958c9c33c71476dd4d39247c8 100644
--- a/.htaccess.sample
+++ b/.htaccess.sample
@@ -36,7 +36,7 @@
############################################
## adjust memory limit
- php_value memory_limit 256M
+ php_value memory_limit 768M
php_value max_execution_time 18000
############################################
@@ -65,13 +65,6 @@
SecFilterScanPOST Off
</IfModule>
-<IfModule mod_headers.c>
-############################################
-## prevent clickjacking
-
- Header set X-Frame-Options SAMEORIGIN
-</IfModule>
-
<IfModule mod_deflate.c>
############################################
@@ -136,9 +129,11 @@
RewriteRule .* - [L,R=405]
############################################
-## always send 404 on missing files in these folders
+## redirect for mobile user agents
- RewriteCond %{REQUEST_URI} !^/pub/(media|js)/
+ #RewriteCond %{REQUEST_URI} !^/mobiledirectoryhere/.*$
+ #RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|googlebot-mobile" [NC]
+ #RewriteRule ^(.*)$ /mobiledirectoryhere/ [L,R=302]
############################################
## never rewrite for existing files, directories and links
@@ -175,16 +170,84 @@
</IfModule>
###########################################
-## Deny access to release notes to prevent disclosure of the installed Magento version
+## Deny access to root files to hide sensitive application information
+ RedirectMatch 404 /\.git
- <Files RELEASE_NOTES.txt>
- Order allow,deny
- Deny from all
+ <Files composer.json>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files composer.lock>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .gitignore>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .htaccess>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .htaccess.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .php_cs>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files .travis.yml>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CHANGELOG.md>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CONTRIBUTING.md>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files CONTRIBUTOR_LICENSE_AGREEMENT.html>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files COPYING.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files Gruntfile.js>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files LICENSE.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files LICENSE_AFL.txt>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files nginx.conf.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files package.json>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files php.ini.sample>
+ order allow,deny
+ deny from all
+ </Files>
+ <Files README.md>
+ order allow,deny
+ deny from all
</Files>
-############################################
+################################
## If running in cluster environment, uncomment this
## http://developer.yahoo.com/performance/rules.html#etags
#FileETag none
-
diff --git a/nginx.conf.sample b/nginx.conf.sample
index cab0b839ffe10f8c87a46dc97baccafa50f93a64..01b163498156956cb37f9ea99a5f5f9c9817981c 100644
--- a/nginx.conf.sample
+++ b/nginx.conf.sample
@@ -26,13 +26,32 @@ charset off;
location /setup {
root $MAGE_ROOT;
-
location ~ ^/setup/index.php {
fastcgi_pass fastcgi_backend;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
+
+ location ~ /setup/(?!pub/). {
+ deny all;
+ }
+}
+
+location /update {
+ root $MAGE_ROOT;
+
+ location ~ /update/index.php {
+ fastcgi_pass fastcgi_backend;
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ include fastcgi_params;
+ }
+
+ # deny everything but index.php
+ location ~ /update/(?!pub/). {
+ deny all;
+ }
}
location / {
@@ -40,6 +59,9 @@ location / {
}
location /pub {
+ location ~ ^/pub/media/(downloadable|customer|import|theme_customization/.*\.xml) {
+ deny all;
+ }
alias $MAGE_ROOT/pub;
}
@@ -70,6 +92,11 @@ location /static/ {
location /media/ {
try_files $uri $uri/ /get.php?$args;
+
+ location ~ ^/media/theme_customization/.*\.xml {
+ deny all;
+ }
+
location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
add_header Cache-Control "public";
expires +1y;
@@ -90,15 +117,7 @@ location /media/downloadable/ {
deny all;
}
-location ~ /media/theme_customization/.*\.xml$ {
- deny all;
-}
-
-location /errors/ {
- try_files $uri =404;
-}
-
-location ~ ^/errors/.*\.(xml|phtml)$ {
+location /media/import/ {
deny all;
}
diff --git a/pub/errors/.htaccess b/pub/errors/.htaccess
index 5a3f0a15d124ed9f66b3fd0e97ad4d6ae7cce0f7..3692dd439e2ff90b141f4e2c362518e359e7079e 100644
--- a/pub/errors/.htaccess
+++ b/pub/errors/.htaccess
@@ -2,6 +2,3 @@ Options None
<IfModule mod_rewrite.c>
RewriteEngine Off
</IfModule>
-<FilesMatch "\.(xml|phtml)$">
- Deny from all
-</FilesMatch>
\ No newline at end of file
diff --git a/setup/config/.htaccess b/setup/config/.htaccess
new file mode 100644
index 0000000000000000000000000000000000000000..281d5c33db37cd1cc887dbb2d36897b897835071
--- /dev/null
+++ b/setup/config/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/setup/performance-toolkit/.htaccess b/setup/performance-toolkit/.htaccess
new file mode 100644
index 0000000000000000000000000000000000000000..281d5c33db37cd1cc887dbb2d36897b897835071
--- /dev/null
+++ b/setup/performance-toolkit/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/setup/src/.htaccess b/setup/src/.htaccess
new file mode 100644
index 0000000000000000000000000000000000000000..281d5c33db37cd1cc887dbb2d36897b897835071
--- /dev/null
+++ b/setup/src/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/setup/view/.htaccess b/setup/view/.htaccess
new file mode 100644
index 0000000000000000000000000000000000000000..281d5c33db37cd1cc887dbb2d36897b897835071
--- /dev/null
+++ b/setup/view/.htaccess
@@ -0,0 +1,2 @@
+order allow,deny
+deny from all
diff --git a/vendor/.htaccess b/vendor/.htaccess
new file mode 100644
index 0000000000000000000000000000000000000000..cb24fd7fc0b3a0e46f6cad19e834117476bd0341
--- /dev/null
+++ b/vendor/.htaccess
@@ -0,0 +1,2 @@
+Order allow,deny
+Deny from all