.htaccess

1. #####
2. #
3. # Example .htaccess file for TYPO3 CMS - for use with Apache Webserver
4. #
5. # This file includes settings for the following configuration options:
6. #
7. # - Compression
8. # - Caching
9. # - MIME types
10. # - Cross Origin requests
11. # - Rewriting and Access
12. # - Miscellaneous
13. # - PHP optimisation
14. #
15. # If you want to use it, you have to copy it to the root folder of your TYPO3 installation (if its
16. # not there already) and rename it to '.htaccess'. To make .htaccess files work, you might need to
17. # adjust the 'AllowOverride' directive in your Apache configuration file.
18. #
19. # IMPORTANT: You may need to change this file depending on your TYPO3 installation!
20. # Consider adding this file's content to your webserver's configuration directly for speed improvement
21. #
22. # Lots of the options are taken from https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess
23. #
24. ####
25.  
26.  
27. ### Begin: Compression ###
28.  
29. # Compressing resource files will save bandwidth and so improve loading speed especially for users
30. # with slower internet connections. TYPO3 can compress the .js and .css files for you.
31. # *) Uncomment the following lines and
32. # *) Set $GLOBALS['TYPO3_CONF_VARS']['BE']['compressionLevel'] = 9 for the Backend
33. # *) Set $GLOBALS['TYPO3_CONF_VARS']['FE']['compressionLevel'] = 9 together with the TypoScript properties
34. # config.compressJs and config.compressCss for GZIP compression of Frontend JS and CSS files.
35.  
36. #<FilesMatch "\.js\.gzip$">
37. # AddType "text/javascript" .gzip
38. #</FilesMatch>
39. #<FilesMatch "\.css\.gzip$">
40. # AddType "text/css" .gzip
41. #</FilesMatch>
42. #AddEncoding gzip .gzip
43.  
44. <IfModule mod_deflate.c>
45. # Force compression for mangled `Accept-Encoding` request headers
46. <IfModule mod_setenvif.c>
47. <IfModule mod_headers.c>
48. SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
49. RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
50. </IfModule>
51. </IfModule>
52.  
53. # Compress all output labeled with one of the following media types.
54. #
55. # (!) For Apache versions below version 2.3.7 you don't need to
56. # enable `mod_filter` and can remove the `<IfModule mod_filter.c>`
57. # and `</IfModule>` lines as `AddOutputFilterByType` is still in
58. # the core directives.
59. #
60. # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
61.  
62. <IfModule mod_filter.c>
63. AddOutputFilterByType DEFLATE application/atom+xml \
64. application/javascript \
65. application/json \
66. application/ld+json \
67. application/manifest+json \
68. application/rdf+xml \
69. application/rss+xml \
70. application/schema+json \
71. application/vnd.geo+json \
72. application/vnd.ms-fontobject \
73. application/x-font-ttf \
74. application/x-javascript \
75. application/x-web-app-manifest+json \
76. application/xhtml+xml \
77. application/xml \
78. font/eot \
79. font/opentype \
80. image/bmp \
81. image/svg+xml \
82. image/vnd.microsoft.icon \
83. image/x-icon \
84. text/cache-manifest \
85. text/css \
86. text/html \
87. text/javascript \
88. text/plain \
89. text/vcard \
90. text/vnd.rim.location.xloc \
91. text/vtt \
92. text/x-component \
93. text/x-cross-domain-policy \
94. text/xml
95. </IfModule>
96.  
97. <IfModule mod_mime.c>
98. AddEncoding gzip svgz
99. </IfModule>
100. </IfModule>
101.  
102. ### End: Compression ###
103.  
104.  
105.  
106. ### Begin: Browser caching of resource files ###
107.  
108. # This affects Frontend and Backend and increases performance.
109. <IfModule mod_expires.c>
110.  
111. ExpiresActive on
112. ExpiresDefault "access plus 1 month"
113.  
114. ExpiresByType text/css "access plus 1 year"
115.  
116. ExpiresByType application/json "access plus 0 seconds"
117. ExpiresByType application/ld+json "access plus 0 seconds"
118. ExpiresByType application/schema+json "access plus 0 seconds"
119. ExpiresByType application/vnd.geo+json "access plus 0 seconds"
120. ExpiresByType application/xml "access plus 0 seconds"
121. ExpiresByType text/xml "access plus 0 seconds"
122.  
123. ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
124. ExpiresByType image/x-icon "access plus 1 week"
125.  
126. ExpiresByType text/x-component "access plus 1 month"
127.  
128. ExpiresByType text/html "access plus 0 seconds"
129.  
130. ExpiresByType application/javascript "access plus 1 year"
131. ExpiresByType application/x-javascript "access plus 1 year"
132. ExpiresByType text/javascript "access plus 1 year"
133.  
134. ExpiresByType application/manifest+json "access plus 1 week"
135. ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
136. ExpiresByType text/cache-manifest "access plus 0 seconds"
137.  
138. ExpiresByType audio/ogg "access plus 1 month"
139. ExpiresByType image/bmp "access plus 1 month"
140. ExpiresByType image/gif "access plus 1 month"
141. ExpiresByType image/jpeg "access plus 1 month"
142. ExpiresByType image/png "access plus 1 month"
143. ExpiresByType image/svg+xml "access plus 1 month"
144. ExpiresByType image/webp "access plus 1 month"
145. ExpiresByType video/mp4 "access plus 1 month"
146. ExpiresByType video/ogg "access plus 1 month"
147. ExpiresByType video/webm "access plus 1 month"
148.  
149. ExpiresByType application/atom+xml "access plus 1 hour"
150. ExpiresByType application/rdf+xml "access plus 1 hour"
151. ExpiresByType application/rss+xml "access plus 1 hour"
152.  
153. ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
154. ExpiresByType font/eot "access plus 1 month"
155. ExpiresByType font/opentype "access plus 1 month"
156. ExpiresByType application/x-font-ttf "access plus 1 month"
157. ExpiresByType application/font-woff "access plus 1 month"
158. ExpiresByType application/x-font-woff "access plus 1 month"
159. ExpiresByType font/woff "access plus 1 month"
160. ExpiresByType application/font-woff2 "access plus 1 month"
161.  
162. ExpiresByType text/x-cross-domain-policy "access plus 1 week"
163.  
164. </IfModule>
165.  
166. ### End: Browser caching of resource files ###
167.  
168.  
169. ### Begin: MIME types ###
170.  
171. # Proper MIME types for all files
172. <IfModule mod_mime.c>
173.  
174. # Data interchange
175. AddType application/atom+xml atom
176. AddType application/json json map topojson
177. AddType application/ld+json jsonld
178. AddType application/rss+xml rss
179. AddType application/vnd.geo+json geojson
180. AddType application/xml rdf xml
181.  
182. # JavaScript
183. AddType application/javascript js
184.  
185. # Manifest files
186. AddType application/manifest+json webmanifest
187. AddType application/x-web-app-manifest+json webapp
188. AddType text/cache-manifest appcache
189.  
190. # Media files
191.  
192. AddType audio/mp4 f4a f4b m4a
193. AddType audio/ogg oga ogg opus
194. AddType image/bmp bmp
195. AddType image/svg+xml svg svgz
196. AddType image/webp webp
197. AddType video/mp4 f4v f4p m4v mp4
198. AddType video/ogg ogv
199. AddType video/webm webm
200. AddType video/x-flv flv
201. AddType image/x-icon cur ico
202.  
203. # Web fonts
204. AddType application/font-woff woff
205. AddType application/font-woff2 woff2
206. AddType application/vnd.ms-fontobject eot
207. AddType application/x-font-ttf ttc ttf
208. AddType font/opentype otf
209.  
210. # Other
211. AddType application/octet-stream safariextz
212. AddType application/x-bb-appworld bbaw
213. AddType application/x-chrome-extension crx
214. AddType application/x-opera-extension oex
215. AddType application/x-xpinstall xpi
216. AddType text/vcard vcard vcf
217. AddType text/vnd.rim.location.xloc xloc
218. AddType text/vtt vtt
219. AddType text/x-component htc
220.  
221. </IfModule>
222.  
223. # UTF-8 encoding
224. AddDefaultCharset utf-8
225. <IfModule mod_mime.c>
226. AddCharset utf-8 .atom .css .js .json .manifest .rdf .rss .vtt .webapp .webmanifest .xml
227. </IfModule>
228.  
229. ### End: MIME types ###
230.  
231.  
232.  
233. ### Begin: Cross Origin ###
234.  
235. # Send the CORS header for images when browsers request it.
236. <IfModule mod_setenvif.c>
237. <IfModule mod_headers.c>
238. <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
239. SetEnvIf Origin ":" IS_CORS
240. Header set Access-Control-Allow-Origin "*" env=IS_CORS
241. </FilesMatch>
242. </IfModule>
243. </IfModule>
244.  
245. # Allow cross-origin access to web fonts.
246. <IfModule mod_headers.c>
247. <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
248. Header set Access-Control-Allow-Origin "*"
249. </FilesMatch>
250. </IfModule>
251.  
252. ### End: Cross Origin ###
253.  
254.  
255.  
256. ### Begin: Rewriting and Access ###
257.  
258. # You need rewriting, if you use a URL-Rewriting extension (RealURL, CoolUri).
259.  
260. <IfModule mod_rewrite.c>
261.  
262. # Enable URL rewriting
263. RewriteEngine On
264.  
265. # force www. | fwi
266. RewriteCond %{HTTP_HOST} !^$
267. RewriteCond %{HTTP_HOST} !^www\. [NC]
268. RewriteCond %{HTTPS}s ^on(s)|
269. RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
270.  
271. # Store the current location in an environment variable CWD to use
272. # mod_rewrite in .htaccess files without knowing the RewriteBase
273. RewriteCond $0#%{REQUEST_URI} ([^#]*)#(.*)\1$
274. RewriteRule ^.*$ - [E=CWD:%2]
275.  
276. # Rules to set ApplicationContext based on hostname
277. #RewriteCond %{HTTP_HOST} ^dev\.example\.com$
278. #RewriteRule .? - [E=TYPO3_CONTEXT:Development]
279. #RewriteCond %{HTTP_HOST} ^staging\.example\.com$
280. #RewriteRule .? - [E=TYPO3_CONTEXT:Production/Staging]
281. #RewriteCond %{HTTP_HOST} ^www\.example\.com$
282. #RewriteRule .? - [E=TYPO3_CONTEXT:Production]
283.  
284. # Rule for versioned static files, configured through:
285. # - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename']
286. # - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename']
287. # IMPORTANT: This rule has to be the very first RewriteCond in order to work!
288. RewriteCond %{REQUEST_FILENAME} !-f
289. RewriteCond %{REQUEST_FILENAME} !-d
290. RewriteRule ^(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ $1.$3 [L]
291.  
292. # Access block for folders
293. RewriteRule _(?:recycler|temp)_/ - [F]
294. RewriteRule fileadmin/templates/.*\.(?:txt|ts)$ - [F]
295. RewriteRule ^(?:vendor|typo3_src|typo3temp/logs) - [F]
296. RewriteRule (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/ - [F]
297.  
298. # Block access to all hidden files and directories with the exception of
299. # the visible content from within the `/.well-known/` hidden directory (RFC 5785).
300. RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
301. RewriteCond %{SCRIPT_FILENAME} -d [OR]
302. RewriteCond %{SCRIPT_FILENAME} -f
303. RewriteRule (?:^|/)\. - [F]
304.  
305. # Stop rewrite processing, if we are in the typo3/ directory or any other known directory
306. # NOTE: Add your additional local storages here
307. RewriteRule (?:typo3/|fileadmin/|typo3conf/|typo3temp/|uploads/|favicon\.ico) - [L]
308.  
309. # If the file/symlink/directory does not exist => Redirect to index.php.
310. # For httpd.conf, you need to prefix each '%{REQUEST_FILENAME}' with '%{DOCUMENT_ROOT}'.
311. RewriteCond %{REQUEST_FILENAME} !-f
312. RewriteCond %{REQUEST_FILENAME} !-d
313. RewriteCond %{REQUEST_FILENAME} !-l
314. RewriteRule ^.*$ %{ENV:CWD}index.php [QSA,L]
315.  
316. </IfModule>
317.  
318. # Access block for files
319. <FilesMatch "(?i:^\.|^#.*#|^(?:ChangeLog|ToDo|Readme|License)(?:\.md|\.txt)?|^composer\.(?:json|lock)|^ext_conf_template\.txt|^ext_typoscript_constants\.txt|^ext_typoscript_setup\.txt|flexform[^.]*\.xml|locallang[^.]*\.(?:xml|xlf)|\.(?:bak|co?nf|cfg|ya?ml|ts|dist|fla|in[ci]|log|sh|sql(?:\..*)?|sw[op]|git.*)|.*(?:~|rc))$">
320. # Apache < 2.3
321. <IfModule !mod_authz_core.c>
322. Order allow,deny
323. Deny from all
324. Satisfy All
325. </IfModule>
326.  
327. # Apache ≥ 2.3
328. <IfModule mod_authz_core.c>
329. Require all denied
330. </IfModule>
331. </FilesMatch>
332.  
333. # Block access to vcs directories
334. <IfModule mod_alias.c>
335. RedirectMatch 404 /\.(?:git|svn|hg)/
336. </IfModule>
337.  
338. ### End: Rewriting and Access ###
339.  
340.  
341.  
342. ### Begin: Miscellaneous ###
343.  
344. # 404 error prevention for non-existing redirected folders
345. Options -MultiViews
346.  
347. # Make sure that directory listings are disabled.
348. <IfModule mod_autoindex.c>
349. Options -Indexes
350. </IfModule>
351.  
352. <IfModule mod_headers.c>
353. # Force IE to render pages in the highest available mode
354. Header set X-UA-Compatible "IE=edge"
355. <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff2?|xml|xpi)$">
356. Header unset X-UA-Compatible
357. </FilesMatch>
358.  
359. # Reducing MIME type security risks
360. Header set X-Content-Type-Options "nosniff"
361. </IfModule>
362.  
363. # ETag removal
364. <IfModule mod_headers.c>
365. Header unset ETag
366. </IfModule>
367. FileETag None
368.  
369. ### End: Miscellaneous ###
370.  
371.  
372. # Add your own rules here.