HTML5 Boilerplate htaccess file code

[Max]

Hi,

I have a couple Qs about a bit of code from the html5 boilerplate, namely from the ‘File Access’ section:

<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">

# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>

# Apache ≥ 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>

</FilesMatch>

https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess

I have seen this code used in adaptations of the html5b htaccess for WP, for instance

### Block access to source files
<FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

https://github.com/Creare/WP-htaccess/blob/master/.htaccess

My primary Q is: does BPSpro already protect these files, if so how?
Secondary Q: I have been studying .htaccess/mod_rewrite/regex and am not sure what to make of the ‘#’ symbols as used in the code (unless they are meant as literal character tokens)?

(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)

also, if the ‘~’ tilde symbol is meant to be something other than a literal character token, then I also do not understand that ‘~’ 🙂

I am also interested in your opinion of the ‘Reflected Cross-Site Scripting (XSS) attacks’ code in the html5 boilerplater htaccess? Finally, if any of above referenced code looks sensible to you in general sense… guidance on which ‘custom code’ box to use?

Thanks for your time 🙂
Kind Regards, Max

[Max]

update: I should note, I am on apache 2.2.23 so I was looking at the html5 boilerplate rules for < 2.3

Cheers, Max

[AITpro Admin]

The Plugin Firewall protects all of this file types in the /plugins/ folder from being publicly accessible:

7z|as|bat|bin|cgi|chm|chml|class|cmd|com|command|dat|db|db2|db3|dba|dll|DS_Store|exe|gz|hta|htaccess|htc|htm|html|htx|idc|ini|ins|isp|jar|jav|java|js|jse|jsfl|json|jsp|jsx|lib|lnk|out|php|phps|php5|php4|php3|phtml|phpt|pl|py|pyd|pyc|pyo|rar|shtm|shtml|sql|swf|sys|tar|taz|tgz|tpl|txt|vb|vbe|vbs|war|ws|wsf|xhtml|z|zip

The BPS Root htaccess file specifically protects these files from being publicly accessible: wp-config\.php|php\.ini|php5\.ini|readme\.html|bb-config\.php
The BPS wp-admin htaccess file specifically protects these files from being publicly accessible install\.php

For WordPress sites typically you only need to protect .php files since most WordPress files are .php files. You can of course add any other file types that you have in your website folders.

^#.*#

I am not sure what that code above is intended to mean, but in the example it is going to mean “comment everything out” to the right of the leftmost pound sign. I don’t think that is what was intended in that code. Or in other words, that code is probably incorrect/invalid. In RegEx code you can use the # signs as delimiters (boundaries), but that does not work in htaccess code.  To parse a # sign you need to use the [NE,L] flag. Instead of escaping the # sign the url encoded equivalent should be used \%23.

The tilde has no special meaning that I am aware of in htaccess code so in that code it would be interpreted literally as a tilde.

No opinion on the Reflected XSS code.  Sounds like a good idea, but I have not looked at the code or tested it so I would not be able to offer any suggestions or an opinion.  If I have some spare time in a few days I will look over the code.

You would add any/all of this custom htaccess code to this Root Custom Code text box:  CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE: Add miscellaneous code here and do the Custom Code setup steps which you will find in the Custom Code Read Me help button.

[Max]

Thanks for you rapid response!

“I am not sure what that code above is intended to mean, but in the example it is going to mean “comment everything out” to the right of the leftmost pound sign. I don’t think that is what was intended in that code. Or in other words, that code is probably incorrect/invalid. In RegEx code you can use the # signs as boundaries, but that does not work in htaccess code.  To parse a # sign you need to use the [NE,L] flag. Instead of escaping the # sign the url encoded equivalent should be used \%23“

That is exactly what I thought, except I was not confident in being correct! How can such a popular framework as html5 bolierplate be using broken htaccess regex?

I am confounded! I did my best to look through J.Friedl’s ‘Mastering Regular Expressions’ and am at this point always rereading R.Bowen’s ‘Difinitive Guide to Apache mod_rewrite’ and found no explanation for the use of the ‘#’ characters in above code in any way that would not break site/be weird…

so, I imagined that that they were either meant to be a) literal characters, then they need to be treated as you say or b) they were used to represent places where one is expected to supply appropriate values…

I figured that BPSpro was probably blocking access to these files already 🙂
I am trying though to learn the wheres and hows, so your explanations are totally appreciated!
Regarding the  ‘Reflected Cross-Site Scripting (XSS) attacks’ code in the html5 boilerplate… for ease of reference here is taken from

https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
Header unset X-XSS-Protection
</FilesMatch>
</IfModule>

Kind Regards, Max

[AITpro Admin]

Oh yeah you are probably right about the intention being literally a #match anything# pattern, but it is not valid since # signs in htaccess code mean comment something out.  My RegEx brain kicked in and saw delimiters (boundaries) since # signs are frequently used in php code RegEx patterns as delimiters (boundaries).

That code would ONLY work on IE8+ and Chrome (some versions) Browser versions.
https://www.owasp.org/index.php/List_of_useful_HTTP_headers

Header set X-XSS-Protection "1; mode=block"

These bits of htaccess code are pending testing. We are locked in for tasks for BPS Pro 9.9 so testing these bits of code will have to wait, but feel free to experiment with them.

# Don't allow pages to be framed externally - Defends against CSRF
Header append X-FRAME-OPTIONS "SAMEORIGIN"

# Only allow JavaScript from the same domain to be run.
# Don't allow inline JavaScript to run.
Header set X-Content-Security-Policy "allow 'self';"

# Prevent mime based attacks
Header set X-Content-Type-Options "nosniff"

# Control Cross-Domain Policies
Header set X-Permitted-Cross-Domain-Policies "master-only"

[Author]

Posts