My Webapplication Firewall.
Publicated on :
1209325016
Alright, so I rewrote my .htaccess today. Made it smaller and far better than it previously was. It basically is a miniature webapplication firewall that can help secure your server and applications too. Don't be fooled by it's size, it maybe fit into 1KB, it still protects you from nearly every webapplication attack there is. Even if you have holes, they can't be exploited anymore, and thus prevents future bugs and attacks. A solution doesn't have to be difficult, often the simple ones are the most elegant ones. Well, if you don't believe me, go try it out! Simple!
I started out with a huge .htaccess, and this is the accumulation of almost 7 years of server administration. It is highly optimized, because many rules will have impact on performance.
RewriteEngine On
Options +FollowSymLinks
ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} ^.*(\r|\n|%0A|%0D).* [NC,OR]
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\..\).{0,9999}.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(libwww|curl|wget|python|nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127.0.0.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
RewriteRule ^(.*)$ access_log.php