Simple Apache Security

# No directory listing
Options -Indexes -ExecCGI

# X-Content-Type-Options:
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
Header set X-Content-Type-Options: "nosniff"

# X-Frame-Options:
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
Header set X-Frame-Options: "deny"

# Disabel FileETAG for seec reasons
FileETag None

# X-XSS-Protection (Cross Site Scripting)
Header set X-XSS-Protection "1; mode=block"

# Strict-Transport-Security
Header set Strict-Transport-Security: "max-age=31536000"

# Referrer-Policy
Header set Referrer-Policy: "strict-origin-when-cross-origin"

# Permissions-Policy
Header set Permissions-Policy: "accelerometer=(), ambient-light-sensor(), autoplay=(), camera=(), display-capture(), encrypted-media=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), usb=()"

# Deny access to specific files
<FilesMatch "\.(htaccess|gitignore|ini|sh|phps|fla|sql(ite)?|conf|log|ai|psd|js[fp]|mdb|tar|tgz|rar|7z|zsh.*|bash.*|r[bu]|coffee|lock|aspx?|yml|env|wadl|axd|s3cfg|viminfo|history)$">
	Require all denied
</FilesMatch>

# Block via Request URI
<LocationMatch "^/(wordpress|wp|trace|old|test|bitrix|backup|db|predb|database|dump|java|soap|sites|lib|html|admin|resources|assets|thirdparty|js|plugin|inc|web|bundle|xmlrpc|manual|cms|media|shop|modules|ycadmin|config|(e)?bak|null|plus|fckeditor|diguo|beifen|shujuku|wls-wsat|utility|dgbf|pma|phpmyadmin|temp|tmp|backs|tp5|mysql|misc|images|vendor|server|cgi|owa|package|node|server).*">
	Require all denied
</LocationMatch>

# Block GIT access
<DirectoryMatch "^/.*/\.git/">
	Require all denied
</DirectoryMatch>

# Badbots + SEO Crawler
# https://raw.githubusercontent.com/bluedragonz/bad-bot-blocker/master/.htaccess
# Screaming Frog: SEO Crawler
SetEnvIfNoCase User-Agent "Screaming Frog" block
# MASSCAN: Mass IP port scanner - https://github.com/robertdavidgraham/masscan
SetEnvIfNoCase User-Agent "masscan" block
SetEnvIfNoCase User-Agent "botnet" block
# zgrab: Network scanner - https://github.com/zmap/zgrab2
SetEnvIfNoCase User-Agent "zgrab" block
# Scrapy: Python website scraper - https://scrapy.org/
SetEnvIfNoCase User-Agent "Scrapy" block
# HTTrack: Website copier - https://www.httrack.com/
SetEnvIfNoCase User-Agent "HTTrack" block
# Axios web scraper
SetEnvIfNoCase User-Agent "axios" block
# Mechanize web scraper - https://github.com/sparklemotion/mechanize
SetEnvIfNoCase User-Agent "Mechanize" block

# Vulnerability Scanners
SetEnvIfNoCase User-Agent "Acunetix" block
SetEnvIfNoCase User-Agent "FHscan" block
#SetEnvIfNoCase User-Agent "Yandex" block

# Bad referers
SetEnvIfNoCase Referer "vulnweb" block
SetEnvIfNoCase Referer "acunetix" block
SetEnvIfNoCase Referer "bxss.me" block
SetEnvIfNoCase Referer "zajm-zalog-krasnodar.ru" block
SetEnvIfNoCase Referer "womantouch.ru" block

# Dont log these requests
#SetEnvIfNoCase User-Agent "mod_pagespeed" dontlog
SetEnvIfNoCase Request_URI "^/static" dontlog
SetEnvIfNoCase Request_URI "^/cordova.js$" dontlog
Code-Sprache: Apache (apache)