Simplify .htaccess to basic directory protection

Changes: - Removed restrictive file access rules - Kept only essential security: - Disable directory browsing (Options -Indexes) - Set default document to report.php - Protect .env files - Protect .git directory - Updated README to reflect simplified configuration Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
2026-01-08 15:09:55 -05:00 · 2026-01-08 15:09:55 -05:00 · bc777a1bbb
commit bc777a1bbb
parent 69f4c3a6c4
2 changed files with 14 additions and 299 deletions
--- a/.htaccess
+++ b/.htaccess
@ -1,291 +1,29 @@
 # AI Tools Usage Report System - Apache Configuration
-# Security, Performance, and Routing Rules

 # ============================================
-# SECURITY HEADERS
+# DISABLE DIRECTORY BROWSING
 # ============================================

-<IfModule mod_headers.c>
-    # Prevent clickjacking attacks
-    Header always set X-Frame-Options "SAMEORIGIN"
-
-    # Prevent MIME type sniffing
-    Header always set X-Content-Type-Options "nosniff"
-
-    # Enable XSS protection
-    Header always set X-XSS-Protection "1; mode=block"
-
-    # Referrer policy
-    Header always set Referrer-Policy "strict-origin-when-cross-origin"
-
-    # Content Security Policy (adjust as needed)
-    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self';"
-
-    # Remove server signature
-    Header unset Server
-    Header unset X-Powered-By
-</IfModule>
+Options -Indexes

 # ============================================
-# FORCE HTTPS (Uncomment for production)
+# DEFAULT DOCUMENT
 # ============================================

-# <IfModule mod_rewrite.c>
-#     RewriteEngine On
-#     RewriteCond %{HTTPS} off
-#     RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
-# </IfModule>
+DirectoryIndex report.php index.php index.html

 # ============================================
-# PROTECT SENSITIVE FILES
+# PROTECT .ENV FILES
 # ============================================

-# Deny access to .env files
 <FilesMatch "^\.env">
    Require all denied
 </FilesMatch>

-# Deny access to .git directory
+# ============================================
+# PROTECT .GIT DIRECTORY
+# ============================================
+
 <DirectoryMatch "\.git">
    Require all denied
 </DirectoryMatch>
-
-# Deny access to composer files
-<FilesMatch "^composer\.(json|lock)$">
-    Require all denied
-</FilesMatch>
-
-# Deny access to Python files (except via PHP execution)
-<FilesMatch "\.(py|pyc)$">
-    Require all denied
-</FilesMatch>
-
-# Deny access to configuration files
-<FilesMatch "^(config|env_loader)\.php$">
-    Require all denied
-</FilesMatch>
-
-# Deny access to log files
-<FilesMatch "\.log$">
-    Require all denied
-</FilesMatch>
-
-# Deny access to backup files
-<FilesMatch "\.(bak|backup|old|save|swp|~)$">
-    Require all denied
-</FilesMatch>
-
-# Protect webhook response data (allow only from server)
-<FilesMatch "^webhook_response\.json$">
-    Require all denied
-</FilesMatch>
-
-# Protect requirements.txt
-<FilesMatch "^requirements\.txt$">
-    Require all denied
-</FilesMatch>
-
-# Protect systemd service files
-<FilesMatch "\.service$">
-    Require all denied
-</FilesMatch>
-
-# Protect shell scripts
-<FilesMatch "\.(sh|bash)$">
-    Require all denied
-</FilesMatch>
-
-# Protect markdown documentation (optional - comment out if you want docs accessible)
-<FilesMatch "\.(md|markdown)$">
-    Require all denied
-</FilesMatch>
-
-# ============================================
-# DIRECTORY BROWSING
-# ============================================
-
-# Disable directory browsing
-Options -Indexes
-
-# Default document
-DirectoryIndex report.php index.php index.html
-
-# ============================================
-# PHP SETTINGS
-# ============================================
-
-<IfModule mod_php7.c>
-    # Hide PHP version
-    php_flag display_errors Off
-    php_flag log_errors On
-    php_value error_log logs/php_error.log
-
-    # Security settings
-    php_flag expose_php Off
-    php_flag allow_url_fopen On
-    php_flag allow_url_include Off
-
-    # Session settings
-    php_value session.cookie_httponly 1
-    php_value session.cookie_secure 0
-    php_value session.use_strict_mode 1
-    php_value session.cookie_samesite Lax
-
-    # Upload limits (adjust as needed)
-    php_value upload_max_filesize 10M
-    php_value post_max_size 10M
-    php_value max_execution_time 300
-    php_value max_input_time 300
-    php_value memory_limit 256M
-</IfModule>
-
-# ============================================
-# URL REWRITING
-# ============================================
-
-<IfModule mod_rewrite.c>
-    RewriteEngine On
-    RewriteBase /
-
-    # Remove trailing slash (optional)
-    RewriteCond %{REQUEST_FILENAME} !-d
-    RewriteCond %{REQUEST_URI} (.+)/$
-    RewriteRule ^ %1 [L,R=301]
-
-    # Redirect root to report page
-    RewriteRule ^$ report.php [L]
-
-    # Clean URLs for main pages (optional - uncomment if desired)
-    # RewriteRule ^report$ report.php [L]
-    # RewriteRule ^fetch$ webhook_caller.php [L]
-    # RewriteRule ^auth$ auth.php [L]
-
-    # Prevent access to internal PHP files
-    RewriteRule ^(AuthMiddleware|JWTValidator)\.php$ - [F,L]
-</IfModule>
-
-# ============================================
-# COMPRESSION
-# ============================================
-
-<IfModule mod_deflate.c>
-    # Compress HTML, CSS, JavaScript, Text, XML and fonts
-    AddOutputFilterByType DEFLATE application/javascript
-    AddOutputFilterByType DEFLATE application/json
-    AddOutputFilterByType DEFLATE application/x-javascript
-    AddOutputFilterByType DEFLATE application/xhtml+xml
-    AddOutputFilterByType DEFLATE application/xml
-    AddOutputFilterByType DEFLATE font/opentype
-    AddOutputFilterByType DEFLATE font/otf
-    AddOutputFilterByType DEFLATE font/ttf
-    AddOutputFilterByType DEFLATE image/svg+xml
-    AddOutputFilterByType DEFLATE image/x-icon
-    AddOutputFilterByType DEFLATE text/css
-    AddOutputFilterByType DEFLATE text/html
-    AddOutputFilterByType DEFLATE text/javascript
-    AddOutputFilterByType DEFLATE text/plain
-    AddOutputFilterByType DEFLATE text/xml
-
-    # Remove browser bugs (old browsers)
-    BrowserMatch ^Mozilla/4 gzip-only-text/html
-    BrowserMatch ^Mozilla/4\.0[678] no-gzip
-    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
-    Header append Vary User-Agent
-</IfModule>
-
-# ============================================
-# CACHING
-# ============================================
-
-<IfModule mod_expires.c>
-    ExpiresActive On
-    ExpiresDefault "access plus 1 month"
-
-    # HTML - no cache
-    ExpiresByType text/html "access plus 0 seconds"
-
-    # CSS and JavaScript
-    ExpiresByType text/css "access plus 1 year"
-    ExpiresByType application/javascript "access plus 1 year"
-    ExpiresByType text/javascript "access plus 1 year"
-
-    # Images
-    ExpiresByType image/gif "access plus 1 month"
-    ExpiresByType image/jpeg "access plus 1 month"
-    ExpiresByType image/png "access plus 1 month"
-    ExpiresByType image/svg+xml "access plus 1 month"
-    ExpiresByType image/x-icon "access plus 1 year"
-
-    # Fonts
-    ExpiresByType font/ttf "access plus 1 year"
-    ExpiresByType font/otf "access plus 1 year"
-    ExpiresByType font/woff "access plus 1 year"
-    ExpiresByType font/woff2 "access plus 1 year"
-
-    # JSON
-    ExpiresByType application/json "access plus 0 seconds"
-</IfModule>
-
-# Cache-Control Headers
-<IfModule mod_headers.c>
-    # No cache for PHP files
-    <FilesMatch "\.(php)$">
-        Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
-        Header set Pragma "no-cache"
-    </FilesMatch>
-
-    # Cache static assets
-    <FilesMatch "\.(css|js|jpg|jpeg|png|gif|svg|ico|woff|woff2|ttf|otf)$">
-        Header set Cache-Control "public, max-age=31536000, immutable"
-    </FilesMatch>
-</IfModule>
-
-# ============================================
-# ERROR DOCUMENTS (Optional)
-# ============================================
-
-# Custom error pages (create these files if you want custom error pages)
-# ErrorDocument 400 /error.php?code=400
-# ErrorDocument 401 /error.php?code=401
-# ErrorDocument 403 /error.php?code=403
-# ErrorDocument 404 /error.php?code=404
-# ErrorDocument 500 /error.php?code=500
-
-# ============================================
-# CORS (Cross-Origin Resource Sharing)
-# ============================================
-
-# Only if you need CORS for API endpoints (uncomment if needed)
-# <IfModule mod_headers.c>
-#     Header set Access-Control-Allow-Origin "*"
-#     Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
-#     Header set Access-Control-Allow-Headers "Content-Type, Authorization"
-# </IfModule>
-
-# ============================================
-# RATE LIMITING (if mod_ratelimit is available)
-# ============================================
-
-# <IfModule mod_ratelimit.c>
-#     # Limit to 400 KB/s per connection (adjust as needed)
-#     SetOutputFilter RATE_LIMIT
-#     SetEnv rate-limit 400
-# </IfModule>
-
-# ============================================
-# ETAG REMOVAL (Optional - for better caching)
-# ============================================
-
-# <IfModule mod_headers.c>
-#     Header unset ETag
-# </IfModule>
-# FileETag None
-
-# ============================================
-# CHARACTER ENCODING
-# ============================================
-
-AddDefaultCharset UTF-8
-<IfModule mod_mime.c>
-    AddCharset UTF-8 .html .css .js .json .xml .txt
-</IfModule>
--- a/README.md
+++ b/README.md
@ -415,35 +415,12 @@ If you don't add the tool, it will still be tracked and displayed with its raw n
 - **HTTPS**: Strongly recommended for production (force HTTPS in .htaccess)

 ### Apache Security (.htaccess)
-The included `.htaccess` file provides comprehensive security:
+The included `.htaccess` file provides basic security:

-**File Protection:**
- Blocks access to `.env`, `.git`, configuration files
- Protects Python scripts, logs, and backup files
- Denies access to `webhook_response.json`
- Blocks composer and requirements files
-
-**Security Headers:**
- X-Frame-Options: Prevents clickjacking
- X-Content-Type-Options: Prevents MIME sniffing
- X-XSS-Protection: Enables XSS filtering
- Content-Security-Policy: Restricts resource loading
- Referrer-Policy: Controls referrer information
-
-**Additional Features:**
- Gzip compression for faster page loads
- Browser caching for static assets
- PHP security settings (expose_php off, etc.)
- Optional HTTPS enforcement (uncomment to enable)
- Directory browsing disabled
-
-**To Enable HTTPS Redirect:**
-Edit `.htaccess` and uncomment these lines:
-```apache
-RewriteEngine On
-RewriteCond %{HTTPS} off
-RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
-```
+- **Directory Browsing Disabled**: Prevents listing of files
+- **Default Document**: Sets `report.php` as the default page
+- **Environment File Protection**: Blocks access to `.env` files
+- **Git Directory Protection**: Blocks access to `.git` directory

 ## License