N°3231 - Allow browser access to static resources files in the /lib folder

2026-02-13 07:24:13 +01:00 · 2020-08-04 09:07:39 +02:00
parent a15235d522
commit 19b5290e80
2 changed files with 38 additions and 10 deletions
--- a/lib/.htaccess
+++ b/lib/.htaccess
@@ -1,12 +1,23 @@
+# Allow only static resources files
+# - HTML not allowed as there could be some test pages calling server scripts or executing JS scripts
+# - PHP not allowed as they should not be publicly accessible
+
 # Apache 2.4
 <ifModule mod_authz_core.c>
 Require all denied
+	<FilesMatch ".+\.(css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot1)$">
+	    Require all granted
+	</FilesMatch>
 </ifModule>

 # Apache 2.2
 <ifModule !mod_authz_core.c>
 deny from all
 Satisfy All
+	<FilesMatch ".+\.(css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot)$">
+	    Order Allow,Deny
+	    Allow from all
+	</FilesMatch>
 </ifModule>

 # Apache 2.2 and 2.4
--- a/lib/web.config
+++ b/lib/web.config
@@ -1,13 +1,30 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Allow only static resources files -->
+<!-- - HTML not allowed as there could be some test pages calling server scripts or executing JS scripts -->
+<!-- - PHP not allowed as they should not be publicly accessible -->
 <configuration>
  <system.webServer>
-    <security>
-      <requestFiltering>
-         <fileExtensions applyToWebDAV="false" allowUnlisted="false"></fileExtensions>
-      </requestFiltering>
-      <authorization>
-        <deny users="*" /> <!-- Denies all users -->
-      </authorization>
-    </security>
+      <security>
+         <requestFiltering>
+            <fileExtensions applyToWebDAV="false" allowUnlisted="false" >
+               <add fileExtension=".css" allowed="true" />
+               <add fileExtension=".scss" allowed="true" />
+               <add fileExtension=".js" allowed="true" />
+               <add fileExtension=".map" allowed="true" />
+               <add fileExtension=".png" allowed="true" />
+               <add fileExtension=".bmp" allowed="true" />
+               <add fileExtension=".gif" allowed="true" />
+               <add fileExtension=".jpeg" allowed="true" />
+               <add fileExtension=".jpg" allowed="true" />
+               <add fileExtension=".svg" allowed="true" />
+               <add fileExtension=".tiff" allowed="true" />
+
+               <add fileExtension=".woff" allowed="true" />
+               <add fileExtension=".woff2" allowed="true" />
+               <add fileExtension=".ttf" allowed="true" />
+               <add fileExtension=".eot" allowed="true" />
+            </fileExtensions>
+         </requestFiltering>
+      </security>
  </system.webServer>
 </configuration>