yii的安全策略

阅读更多

web根目录下.htaccess

写道
Options +FollowSymLinks
IndexIgnore */*
RewriteEngine on

# if a directory or a file exists, use it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# otherwise forward it to index.php
RewriteRule . index.php


# Block access to backup and source files
# These files may be left by some text/html editors and
# pose a great security danger, when someone can access them

Order allow,deny
Deny from all
Satisfy All



# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or Git.

RewriteCond %{SCRIPT_FILENAME} -d
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]


# "-Indexes" will have Apache block users from browsing folders without a default document
# Usually you should leave this activated, because you shouldn't allow everybody to surf through
# every folder on your server (which includes rather private places like CMS system folders).

Options -Indexes


Header always add X-Frame-Options SAMEORIGIN
Header always add Content-Security-Policy "default-src 'self';script-src 'unsafe-inline' 'self';style-src 'unsafe-inline' 'unsafe-eval' 'self';img-src 'self';connect-src 'self'"

 然后protected和每个views目录加入.htaccess内容如下

写道
deny from all

 上传目录加入.htaccess内容如下

写道
Options None

Order Allow,Deny
Deny from all

 

你可能感兴趣的:(yii的安全策略)