# @version $Id: htaccess.txt 13415 2009-11-03 15:53:25Z ian $
SetEnv PHP_VER 7_0
SetEnv REGISTER_GLOBALS 0
SetEnv ZEND_OPTIMIZER 1
SetEnv MAGIC_QUOTES 0

RewriteEngine On
# RewriteRule ^([^\.]+)\.html /index.php?page=$1 [L]
# AddType application/x-httpd-php5 .php 

## Mise en cache Mad
### Caching mod_headers + mod_expires
 
<IfModule mod_expires.c>
 
 # Turn on Expires and set default to now
 ExpiresActive On
 ExpiresDefault "now"
 
 # Set up caching on media files for 1 month
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|swf)$">
 ExpiresDefault "access plus 1 month"
 </FilesMatch>
 
 # Set up caching on images, CSS and JS files for 1 week
 <FilesMatch "\.(gif|jpg|jpeg|png|js|css)$">
 ExpiresDefault "access plus 1 week"
 </FilesMatch>
 
 # Set up 1 hour caching on commonly updated files
 # <FilesMatch "\.(xml|xsl|html|htm|txt)$">
 <FilesMatch "\.(xml|xsl)$">
 ExpiresDefault "access plus 1 hour"
 </FilesMatch>
 
 # Force no caching for dynamic files
 <FilesMatch "\.(php|cgi|pl)$">
 ExpiresActive Off
 </FilesMatch>
</IfModule>
 
<IfModule mod_headers.c>
 
 # Remote ETag from headers
 Header unset ETag
 
 # Disable ETag for files
 FileETag None
 
 # Media files are catchable
 <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav|swf)$">
 Header append Cache-Control "public"
 </FilesMatch>
 
 # Images, css and javascript files are catchable
 <FilesMatch "\.(gif|jpg|jpeg|png|js|css)$">
 Header append Cache-Control "public"
 </FilesMatch>
 
 # Commonly updated files are catchable
 # <FilesMatch "\.(xml|html|htm|txt)$">
 <FilesMatch "\.(xml|)$">
 Header append Cache-Control "public"
 </FilesMatch>
 
 # Force no caching for dynamic files
 <FilesMatch "\.(php|cgi|pl|htm)$">
 Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
 Header set Pragma "no-cache"
 </FilesMatch>

 ## ajout avec la version 3.9.21
 Header always set Content-Security-Policy "script-src 'none'"

 ## 030621 ajout
 Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
 Header always append X-Frame-Options SAMEORIGIN
 # The `X-Frame-Options` response header should be send only for
 # HTML documents and not for the other resources.
 <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|top ojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
 Header unset X-Frame-Options
 </FilesMatch>
 Header set X-Content-Type-Options "nosniff"
 Header always set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

# @package Joomla
# @copyright Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##


#####################################################
#  READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations.  It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file.  If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's.  If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################

##  Can be commented out if causes errors, see notes above.
##Options +FollowSymLinks

# ajout suite MaJ Joomla 3.9.3
<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
#
#  mod_rewrite in use
RewriteEngine On

########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
## Deny access to extension xml files (uncomment out to activate)
## Modifications du 15.12.2010 par Mahdi (lignes de 38 à 42 décommentées)
<Files ~ "\.xml$">
Order allow,deny
# Deny from all
# Satisfy all
</Files>
# Autoriser consultation sitemap.xml
<Files sitemap.xml>
order deny,allow
allow from all
</Files>

## End of deny access to extension xml files
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#

## Modifications du 15.12.2010 par Mahdi (ajout de la ligne 58 à 133)
########## Block bad user agents
 RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
 RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
 RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
 RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
 RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
 RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
 RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
 RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
 RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
 RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
 RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
 RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
 RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
 RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
 RewriteCond %{HTTP_USER_AGENT} ^Zeus
 
## Modifications du 15.12.2010 par Mahdi (ajout de la ligne 136 à 157) 
 ## Other useful settings (autres réglages utiles)

 ServerSignature Off
 RewriteCond %{REQUEST_METHOD}  ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
 RewriteCond %{THE_REQUEST}     ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
 
 RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 RewriteCond %{HTTP_COOKIE}     ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999}.* [NC,OR]
 
 RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|scan).* [NC,OR]
 RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 
 #Block mySQL injects
 RewriteCond %{QUERY_STRING}    ^.*(;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
 
 RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
 RewriteCond %{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
 RewriteCond %{QUERY_STRING}    ^.*(<|>|’|%0A|%0D|%27|%3C|%3E|%00).* [NC]
 
## Modifications du 15.12.2010 par Mahdi (ajout de la ligne 160 à 163) 
## Rewrite conditions need to be followed by a rewrite rule, such as:

# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]



########## End - Rewrite rules to block out some common exploits

#  Uncomment following line if your webserver's URL
#  is not directly related to physical file paths.
#  Update Your Joomla! Directory (just / for root)

# RewriteBase /


########## Begin - Joomla! core SEF Section
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$  [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
#
########## End - Joomla! core SEF Section


## ajout avec la version 3.9.22
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

## ajout du 030621
Header set Content-Security-Policy: "base-uri 'self'; default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' d1sn4l25wts1t9.cloudfront.net *.google-analytics.com *.googletagmanager.com *.googletagservices.com cdn.ampproject.org *.facebook.net *.linkedin.com *.googleapis.com *.google.com *.google.fr *.googlesyndication.com *.doubleclick.net *.ipify.org *.iubenda.com *.acyba.com *.youtube.com *.ytimg.com *.gstatic.com *.jquery.com *.cloudflare.com *.jsdelivr.net; style-src 'self' 'unsafe-inline' d1sn4l25wts1t9.cloudfront.net *.googleapis.com maxcdn.boo *.bootstrapcdn.com *.google.com *.jsdelivr.net; img-src 'self' *.betterweb.fr data: d1sn4l25wts1t9.cloudfront.net *.google-analytics.com *.googletagmanager.com stats.g.doubleclick.net *.acyba.com *.facebook.com static.licdn.com *.linkedin.com traffic.alexa.com *.semrush.com csi.gstatic.com *.google.com *.google.fr zxing.org *.googleapis.com *.norrnext.com *.licdn.com *.joomla.org *.unsplash.com pixabay.com *.pexels.com *.tassos.gr *.iubenda.com api.ecologi.com; child-src 'self' *.facebook.com *.facebook.net *.youtube.com *.youtube-nocookie.com *.googletagmanager.com *.acyba.com *.linkedin.com *.iubenda.com *.gstatic.com *.google.com *.doubleclick.net *.joomunited.com; font-src 'self' data: fonts.gstatic.com d1sn4l25wts1t9.cloudfront.net fonts.googleapis.com *.bootstrapcdn.com *.jsdelivr.net; connect-src 'self' api.ipify.org *.google-analytics.com *.doubleclick.net *.ampproject.net *.googletagmanager.com *.google.com *.google.fr *.appspot.com *.youtube.com *.linkedin.com *.iubenda.com *.cdnjs.com *.facebook.com yootheme.com; media-src 'self' *.amazonaws.com *.googlesyndication.com; upgrade-insecure-requests; report-uri https://betterweb.report-uri.com/r/d/csp/enforce;"

<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|top ojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
Header unset Content-Security-Policy
</FilesMatch>