htaccess files

2026-02-12 14:37:17 +05:30 · 2026-02-12 14:37:17 +05:30 · aae99c42cb
commit aae99c42cb
parent 77274a7540
3 changed files with 254 additions and 4 deletions
--- a/.env.example
+++ b/.env.example
@ -20,11 +20,8 @@ FLASK_ENV=development

 AZURE_CLIENT_ID=15c0c4e2-bac0-4564-a3a6-c2717f00a6d9
 AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385
-# REDIRECT_URI=http://localhost:3000
+# REDIRECT_URI=https://ai-sandbox.oliver.solutions/lux-studio/

-# Redirect URI - Change based on environment:
-# Development: http://localhost:3000
-# Production:  https://ai-sandbox.oliver.solutions/video-optimizer
 REDIRECT_URI=https://ai-sandbox.oliver.solutions/video-optimizer

 # ------------------------------------------------------------------------------
--- a/backend/.htaccess
+++ b/backend/.htaccess
@ -0,0 +1,133 @@
+# ==============================================================================
+# VIDEO OPTIMIZER - BACKEND SECURITY CONFIGURATION
+# ==============================================================================
+# Location: /opt/video-optimizer-back/backend/.htaccess
+# Purpose: Deny all direct web access to backend files
+# Note: Backend should ONLY be accessed via Apache proxy (localhost:5000)
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# DENY ALL ACCESS
+# ------------------------------------------------------------------------------
+
+# This backend directory should NOT be directly accessible via web
+# All API requests should go through Apache proxy: /video-optimizer/api -> localhost:5000
+
+<RequireAll>
+    Require all denied
+</RequireAll>
+
+# ------------------------------------------------------------------------------
+# EXPLANATION
+# ------------------------------------------------------------------------------
+#
+# The backend Python Flask application runs on localhost:5000 and should ONLY
+# be accessible through the Apache reverse proxy configuration.
+#
+# Direct web access to this directory must be blocked to prevent:
+# - Direct access to Python source code
+# - Exposure of sensitive configuration files
+# - Unauthorized API access bypassing the proxy
+# - Security vulnerabilities from direct file access
+#
+# Correct API access path:
+#   ✓ https://ai-sandbox.oliver.solutions/video-optimizer/api/health
+#   ✗ Direct access to /opt/video-optimizer-back/backend/app.py
+#
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+# ADDITIONAL PROTECTION
+# ------------------------------------------------------------------------------
+
+# Disable directory browsing
+Options -Indexes
+
+# Disable symbolic links
+Options -FollowSymLinks
+
+# Disable script execution
+Options -ExecCGI
+
+# Deny access to all file types
+<FilesMatch ".*">
+    Require all denied
+</FilesMatch>
+
+# Explicitly deny Python files
+<FilesMatch "\.(py|pyc|pyo|pyd)$">
+    Require all denied
+</FilesMatch>
+
+# Deny access to environment files
+<FilesMatch "^\.env">
+    Require all denied
+</FilesMatch>
+
+# Deny access to JSON configuration files
+<FilesMatch "\.(json)$">
+    Require all denied
+</FilesMatch>
+
+# Deny access to log files
+<FilesMatch "\.(log)$">
+    Require all denied
+</FilesMatch>
+
+# Deny access to requirements.txt
+<FilesMatch "^requirements\.txt$">
+    Require all denied
+</FilesMatch>
+
+# Deny access to .htaccess itself
+<Files ".htaccess">
+    Require all denied
+</Files>
+
+# Deny access to hidden files
+<FilesMatch "^\.">
+    Require all denied
+</FilesMatch>
+
+# ------------------------------------------------------------------------------
+# SECURITY HEADERS (In case of misconfiguration)
+# ------------------------------------------------------------------------------
+
+<IfModule mod_headers.c>
+    # If somehow accessed, prevent rendering in browser
+    Header set X-Content-Type-Options "nosniff"
+    Header set X-Frame-Options "DENY"
+    Header set X-XSS-Protection "1; mode=block"
+
+    # Prevent caching
+    Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
+    Header set Pragma "no-cache"
+    Header set Expires "0"
+</IfModule>
+
+# ==============================================================================
+# IMPORTANT NOTES
+# ==============================================================================
+#
+# 1. This directory (/opt/video-optimizer-back/backend/) is NOT in the web root
+#    (/var/www/html/), so it should not be accessible via Apache anyway.
+#
+# 2. This .htaccess file is a defense-in-depth measure to prevent access
+#    in case of Apache misconfiguration.
+#
+# 3. The backend Flask application is bound to 127.0.0.1:5000 (localhost only)
+#    and cannot be accessed directly from the internet.
+#
+# 4. All API requests must go through the Apache proxy configuration:
+#    <Location /video-optimizer/api>
+#        ProxyPass http://127.0.0.1:5000/api
+#        ProxyPassReverse http://127.0.0.1:5000/api
+#    </Location>
+#
+# 5. If you need to access backend files for maintenance, use SSH:
+#    ssh user@ai-sandbox.oliver.solutions
+#    cd /opt/video-optimizer-back/backend/
+#
+# ==============================================================================
+# END OF CONFIGURATION
+# ==============================================================================
--- a/frontend/.htaccess
+++ b/frontend/.htaccess
@ -0,0 +1,120 @@
+# ==============================================================================
+# VIDEO OPTIMIZER - FRONTEND SECURITY CONFIGURATION
+# ==============================================================================
+# Location: /var/www/html/video-optimizer/.htaccess
+# Purpose: Security hardening for frontend static files
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# DIRECTORY PROTECTION
+# ------------------------------------------------------------------------------
+
+# Disable directory browsing
+Options -Indexes
+
+# Follow symbolic links (required for some servers)
+Options +FollowSymLinks
+
+# Disable server signature
+ServerSignature Off
+
+# ------------------------------------------------------------------------------
+# FILE ACCESS CONTROL
+# ------------------------------------------------------------------------------
+
+# Default: Allow access to all files (will be restricted below)
+<FilesMatch ".*">
+    Require all granted
+</FilesMatch>
+
+# Deny access to sensitive files and patterns
+<FilesMatch "^\.">
+    Require all denied
+</FilesMatch>
+
+# Deny access to backup and temporary files
+<FilesMatch "\.(bak|backup|old|tmp|temp|swp|save|orig|dist|log|sql|sqlite|db)$">
+    Require all denied
+</FilesMatch>
+
+# Deny access to version control files
+<FilesMatch "(^\.git|^\.svn|^\.hg|^\.bzr)">
+    Require all denied
+</FilesMatch>
+
+# Deny access to environment and configuration files
+<FilesMatch "^(\.env|\.env\.|config\.json|package\.json|package-lock\.json|composer\.json|composer\.lock)">
+    Require all denied
+</FilesMatch>
+
+# Deny access to PHP files (if any exist - security measure)
+<FilesMatch "\.php$">
+    Require all denied
+</FilesMatch>
+
+# Deny access to Python files (should not be in frontend)
+<FilesMatch "\.py$">
+    Require all denied
+</FilesMatch>
+
+# Deny access to README and documentation that shouldn't be public
+<FilesMatch "^(README|INSTALL|CHANGELOG|LICENSE|CONTRIBUTING)">
+    Require all denied
+</FilesMatch>
+
+# ------------------------------------------------------------------------------
+# ALLOWED FILE TYPES (Explicitly allow necessary files)
+# ------------------------------------------------------------------------------
+
+# Allow HTML files (main application pages)
+<FilesMatch "\.(html|htm)$">
+    Require all granted
+</FilesMatch>
+
+# Allow JavaScript files
+<FilesMatch "\.(js|mjs)$">
+    Require all granted
+</FilesMatch>
+
+# Allow CSS files
+<FilesMatch "\.css$">
+    Require all granted
+</FilesMatch>
+
+# Allow images
+<FilesMatch "\.(jpg|jpeg|png|gif|ico|svg|webp)$">
+    Require all granted
+</FilesMatch>
+
+# Allow fonts
+<FilesMatch "\.(woff|woff2|ttf|otf|eot)$">
+    Require all granted
+</FilesMatch>
+
+# Allow JSON files (only if needed for app functionality)
+<FilesMatch "\.json$">
+    Require all denied
+</FilesMatch>
+
+# ------------------------------------------------------------------------------
+# ERROR DOCUMENTS
+# ------------------------------------------------------------------------------
+
+# Custom error pages (optional - create these files if needed)
+# ErrorDocument 403 /video-optimizer/error/403.html
+# ErrorDocument 404 /video-optimizer/error/404.html
+# ErrorDocument 500 /video-optimizer/error/500.html
+
+# ------------------------------------------------------------------------------
+# ADDITIONAL SECURITY
+# ------------------------------------------------------------------------------
+
+# Prevent access to .htaccess itself
+<Files ".htaccess">
+    Require all denied
+</Files>
+
+
+# ==============================================================================
+# END OF CONFIGURATION
+# ==============================================================================