RewriteEngine on # if a directory or a file exists, use it directly RewriteCond %{REQUEST_FILENAME} !-f # RewriteCond %{REQUEST_FILENAME} !-d # otherwise forward it to index.php RewriteRule . index.php # deny access to hidden files and directories except .well-known RewriteCond %{REQUEST_URI} !^/\.well-known RewriteRule ^(.*/)?\.+ - [F] # deny access to composer.json that is used for remote fingerprinting RewriteRule ^composer.json - [F] # issue #19865 RewriteRule ^setdebug.php - [F] # deny access to hidden files and directories without mod_rewrite RedirectMatch 403 ^/(?!\.well-known/)(.*/)?\.+ # General setting to properly handle LimeSurvey paths # AcceptPathInfo on # XSS protection Header set X-XSS-Protection "1; mode=block" Header set Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'" # Disable Multiviews (issue #16859) Options -MultiViews