From 1bccab2da2a52168b6871fe8134ef06be6769dcb Mon Sep 17 00:00:00 2001
From: Joshua Ramon Enslin <joshua@museum-digital.de>
Date: Thu, 14 Nov 2019 12:55:26 +0100
Subject: [PATCH] Implement content security policies

phpcs-errors:253 phpunit-status:successful
---
 .htaccess | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 .htaccess

diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..b1464e6
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,34 @@
+RewriteEngine On    # Turn on the rewriting engine
+
+# Disallow access to the given subfolders
+RewriteRule ^(\.git|conf|vendor/|composer\.json|composer\.lock|functions) - [F,L,NC]
+
+# Only allow GET|HEAD|POST
+RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|OPTIONS)
+RewriteRule .? - [F]
+
+# RewriteCond %{REQUEST_URI} output=json
+# RewriteRule ^.*$ - [ENV=LONGCACHE:true]
+# Header set Access-Control-Allow-Origin "*" env=LONGCACHE
+# Header set Access-Control-Allow-Methods "GET, OPTIONS" env=LONGCACHE
+# Header set Access-Control-Allow-Headers "X-PINGOTHER, Content-Type, Accept-Encoding, cache-control" env=LONGCACHE
+# Header set Access-Control-Max-Age "86400" env=LONGCACHE
+HEADER set X-Frame-Options DENY env=LONGCACHE
+
+# RewriteCond %{REQUEST_FILENAME} -f
+# RewriteRule ^(.+)\.pdf$  /cgi-bin/pdf.php?file=$1 [L,NC,QSA]
+
+# Disallow execution of the following types of scripts
+RemoveHandler cgi-script .pl .py .cgi .sh
+
+## MAIN DEFAULTS
+Options -Indexes
+DirectoryIndex index.php
+
+# Set deailt charset
+AddDefaultCharset UTF-8
+
+# Set content and feature security headers
+Header set Content-Security-Policy "default-src 'self'; connect-src 'self'; script-src 'self' https://*.jrenslin.de; img-src 'self' https:; media-src 'self' https:; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'self'; form-action https://nat.museum-digital.de;"
+Header set Feature-Policy "midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'self'; gyroscope 'self'; speaker *; payment 'none'; fullscreen 'self'; geolocation 'none';"
+