Support

Admin Tools

#33990 htaccess maker default settings

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 03 December 2020 20:17 CST

Tuesday, 03 November 2020 05:26 CST

NuevaCommunications

Quick question: I changed some settings in htaccess Maker which blocked the site. I have reverted to the standard Joomla htaccess file, so the site is ok, but the problem is that I have forgotten which settings I changed, and I stupidly did not note them down.

Is there someplace where the default settings are listed so that I can regenerate the AdminTools htaccess file with the default settings, rather than go through and try every setting?

Also, the latest Joomla update now recommends a bunch of changes to htaccess (see below). Are they included in the AdminTools-generated htaccess, or do I need to add them manually?

Thanks,

Matt

htaccess Update Concerning Directory Listings

Since version 3.9.22

Before 3.9.22 the default htaccess.txt file contained erroneous code meant for disabling directory listings. The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

The old code:

<IfModule autoindex>
  IndexIgnore *
</IfModule>

The new code:

<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>
Hide this message Additional XSS protection for the usage of SVG files

Since version 3.9.21

Since 3.9.21 Joomla is shipped with an additional security rule in the default htaccess.txt. This rule will protect users of svg files from potential Cross-Site-Scripting (XSS) vulnerabilities.
The security team recommends to manually apply the necessary changes to any existing .htaccess file, as this file can not be updated automatically.

Changes for .htaccess

<FilesMatch "\.svg$">
  <IfModule mod_headers.c>
    Header always set Content-Security-Policy "script-src 'none'"
  </IfModule>
</FilesMatch>

Currently we are not aware of a method to conditionally configure this on IIS web servers, please contact your hosting provider for further assistance.

Hide this message Updated Text Filter Recommendations

Since version 3.9.19

As part of our security team's review, we have made some changes to the default settings for the global text filters in a new Joomla installation. The default setting for the 'Public', 'Guest' and 'Registered' groups is now 'No HTML'. As these changes are only applied to new installations, we strongly recommend that you review these changes and update your site from: System -> Global Configuration -> Text Filters

Hide this message .htaccess & web.config Security Update

Since version 3.9.3

Joomla is now shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in web browsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (eg images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security team recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
  <customHeaders>
    <add name="X-Content-Type-Options" value="nosniff" />
  </customHeaders>
</httpProtocol>

Tuesday, 03 November 2020 08:14 CST

tampe125

Hello,

let's start with the easy question. You can ignore Joomla messages: those suggestions were already applied by Admin Tools years ago. Moreover, since every server is different, Joomla gives you more a conservative advice to avoid breaking your site, while Admin Tools knows what's running on your site and applies tailored directives for you.
Finally, it can do that in a more aggressive way, since if anything breaks you can always go back to the previous version of the .htaccess file.

Now, regarding your case, that's a bit hard, since at the moment the only way to reset the Htaccess Maker is to run the Quick Setup Wizard again, but that would overwrite all your existing rules.

HOWEVER!

You can export your current configuration using the built-in tool, run the Quick Setup Wizard and then import it again.

That should work, but please take a backup before doing it.

Davide Tampellini

Developer and Support Staff

🇮🇹Italian: native 🇬🇧English: good • 🕐 My time zone is Europe / Rome (UTC +1)
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 03 December 2020 20:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2020-12-03 20:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!