RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

##################################################################################################

#

# aeSecure v2.1 (c) AVONTURE Christophe (http://www.aesecure.com/)

#

# !!! ---------------------------------------------------------------------------------------- !!!

# !!! DON'T MODIFIY THIS FILE MANUALLY.   IF YOU NEED TO ADD RULES IN IT, JUST USE YOUR        !!!

# !!! http://yoursite/aesecure/setup.php?YOUR_LONG_KEY PAGE INTERFACE AND GO TO OPTION 1.4     !!!

# !!! "Manual edit of your .htaccess"                                                          !!!

# !!! ---------------------------------------------------------------------------------------- !!!

#

# If the .htaccess file isn't working at all, check in your httpd.conf server file that

# AllowOverride variable is not set on None and in that case change the settings to All

#

# So change "AllowOveridde None" to "AllowOverride All" (without double-quote).  Restart then the Apache server.

#

##################################################################################################

#aeSecure 1.1



#AESECURE_BLOCKUSERAGENT_START
#aeSecure 2.8

<IfModule mod_rewrite.c>

 RewriteEngine On

 # Block based on the user-Agent.  Show a 403 page - access denied

 RewriteCond %{HTTP_USER_AGENT} ".*(AhrefsBot|base64_decode|BOT for JCE|BOT/0.1 (BOT for JCE)|Cliqzbot|dotbot|javascript|JDatabaseDriver|JFactory|Lipperhey SEO Service|Mail\.RU_Bot|MJ12bot|niki-?bot|OrangeBot|phpinfo|SeznamBot|Sogou).*" [NC]


 RewriteRule .* - [F]

</IfModule>
#AESECURE_BLOCKUSERAGENT_END

#AESECURE_BLOCKIP_START

#AESECURE_BLOCKIP_END

#AESECURE_BLOCKPARTURL_START
#aeSecure 1.6

<IfModule mod_rewrite.c>

 # These lines have been added by the option 1.6 of aeSecure.  Use the interface if you need to modify part of the rules

 RewriteEngine On

 RewriteCond %{REQUEST_URI} .*\.php\.(gif|jpe?g|png).* [NC,OR]
RewriteCond %{REQUEST_URI} .*(php-ofc-library|streaming|uploadify).* [NC,OR]
RewriteCond %{REQUEST_URI} .*(/(openflash|tmp-upload-images)/).*$ [NC,OR]
RewriteCond %{REQUEST_URI} .*(/(cache|components|images|logs|modules|plugins)/[^/]+\.php(\?*)).*$ [NC,OR]
RewriteCond %{QUERY_STRING} .*(task=upload).*$ [NC,OR]
RewriteCond %{QUERY_STRING} .*(\+Result:).*$ [NC,OR]
RewriteCond %{QUERY_STRING} (baca|rf)$ [NC,OR]
RewriteCond %{QUERY_STRING} cmd=wget [NC,OR]
RewriteCond %{QUERY_STRING} .*(dallow_url_include|FileUpload).* [NC,OR]
RewriteCond %{QUERY_STRING} \.php\.(gif|jpe?g|png).* [NC]


 RewriteRule .* /aesecure/accessdenied.php?s=426 [L]

</IfModule>
#AESECURE_BLOCKPARTURL_END

#AESECURE_BLOCKREFERRER_START
#aeSecure 2.9

<IfModule mod_rewrite.c>

 RewriteEngine On

 # Protection : don't allow the user to block his own server

 RewriteCond %{REMOTE_ADDR} !127.0.0.1

 RewriteCond %{REMOTE_ADDR} !178.33.103.143

 RewriteCond %{HTTP_REFERER} !ccijf.asso.fr

 RewriteCond %{HTTP_REFERER} 4webmasters\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} 76brighton\.co\.uk [NC,OR]
 RewriteCond %{HTTP_REFERER} 7makemoneyonline\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} adcash\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} adviceforum\.info [NC,OR]
 RewriteCond %{HTTP_REFERER} anonym\.to [NC,OR]
 RewriteCond %{HTTP_REFERER} anticrawler\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} antonym\.to [NC,OR]
 RewriteCond %{HTTP_REFERER} Best-seo-offer\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} best-seo-solution\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} blackhatworth\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} Blackhatworth\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} buttons-for-website\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} buttons-for-website\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} Buttons-for-your-website\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} cenokos\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} cenoval\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} cityadspix\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} cyprusbuyproperties\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} darodar\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} darodar\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} descargar-musica-gratis\.net [NC,OR]
 RewriteCond %{HTTP_REFERER} econom\.co [NC,OR]
 RewriteCond %{HTTP_REFERER} econom\.co [NC,OR]
 RewriteCond %{HTTP_REFERER} edakgfvwql\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} forum\.topic44637676\.darodar\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} forum\.topic52548358\.darodar\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} forum\.topic53813291\.darodar\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} forum20\.smailik\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} get-free-traffic-now\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} gobongo\.info [NC,OR]
 RewriteCond %{HTTP_REFERER} googlsucks\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} hulfingtonpost\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} humanorightswatch\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} iedit\.ilovevitaly\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} iloveitaly\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} ilovevitaly\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} ilovevitaly\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} iskalko\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} kambasoft\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} Lomb\.co [NC,OR]
 RewriteCond %{HTTP_REFERER} Lombia\.co [NC,OR]
 RewriteCond %{HTTP_REFERER} luxup\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} make-money-online\.7makemoneyonline\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} myftpupload\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} offers\.bycontext\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} o-o-6-o-o\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} paparazzistudios\.com\.au [NC,OR]
 RewriteCond %{HTTP_REFERER} pornhub-forum\.uni\.me [NC,OR]
 RewriteCond %{HTTP_REFERER} powitania\.pl [NC,OR]
 RewriteCond %{HTTP_REFERER} priceg\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} prodvigator\.ua [NC,OR]
 RewriteCond %{HTTP_REFERER} ranksonic\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} resellerclub\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} s\.click\.aliexpress\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} savetubevideo\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} saveyoutubevideo\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} screentoolkit\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} semalt\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} semalt\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} semalt\.semalt\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} seoexperimenty\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} sharebutton\.net [NC,OR]
 RewriteCond %{HTTP_REFERER} sharebutton\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} shopping\.ilovevitaly\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} simple-share-buttons\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} site12\.social-buttons\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} slftsdybbg\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} social-buttons\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} socialseet\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} superiends\.org [NC,OR]
 RewriteCond %{HTTP_REFERER} tasteidea\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} torontoplumbinggroup\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} vodkoved\.ru [NC,OR]
 RewriteCond %{HTTP_REFERER} websocial\.me [NC,OR]
 RewriteCond %{HTTP_REFERER} www\.majestic12\.co\.uk [NC,OR]
 RewriteCond %{HTTP_REFERER} www1\.social-buttons\.com [NC,OR]
 RewriteCond %{HTTP_REFERER} ykecwqlixx\.ru [NC]


 RewriteCond %{REQUEST_FILENAME} !accessdenied\.php [NC]  

 RewriteRule .* /aesecure/accessdenied.php?s=587 [L]

</IfModule>
#AESECURE_BLOCKREFERRER_END



# Define the 403 - Access denied page

ErrorDocument 403 '<html xmlns="http://www.w3.org/1999/xhtml"><head><style type="text/css" >body{color:#fff;background-color:#851507;font:14px/1.5 Helvetica,Arial,sans-serif};</style><title>Access denied</title></head><body><div style="margin:20px auto;width:700px;padding-top:50px"><img src="assets/images/aesecure_denied.png" style="float:right;" alt="aeSecure"/><h1>Access denied, unauthorized access.<br/><br/>If you think it\'s an error, please inform the webmaster to help him to adjust his security rules.  Thank you.</h1><pre style="padding:20px;white-space:pre-line;border-radius:10px;background-color:#b34334">Code : 403 - Deny access</pre></div></body></html>'



# Force to mention index.html when trying to access f.i. to http://yoursite/images

<IfModule mod_autoindex.c>

 IndexIgnore *



 ##

 # READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE!

 #

 # The line just below this section: 'Options +FollowSymLinks' may cause problems

 # with some server configurations.  It is required for use of mod_rewrite, but may already

 # be set by your server administrator in a way that dissallows changing it in

 # your .htaccess file.  If using it causes your server to error out, comment it out (add # to

 # beginning of line), reload your site in your browser and test your sef url's.  If they work,

 # it has been set by your server administrator and you do not need it set here.

 ##

 ## Can be commented out if causes errors, see notes above.

 Options +FollowSymLinks -Indexes

</IfModule>



# Define the default page ordering (first index.php if present, otherwise index.html)

DirectoryIndex index.php index.html



#AESECURE_MAINTENANCE_START

#AESECURE_MAINTENANCE_END



#AESECURE_COMPRESSION_START
#aeSecure 8.2

# Compression



# Apache 2.0 : use mod_deflate; more recent than mod_gzip (Apache 1.3+)

<IfModule mod_deflate.c>

 SetOutputFilter DEFLATE

 <IfModule mod_filter.c>

   AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/css text/javascript application/javascript application/x-javascript

 </IfModule>

</IfModule>



# On somes hosters, mod_deflate isn't installed but well mod_gzip.

<IfModule mod_gzip.c>

    mod_gzip_on       Yes

    mod_gzip_dechunk  Yes

    mod_gzip_item_include file      \.(html?|txt|css|js|php|pl)$

    mod_gzip_item_include handler   ^cgi-script$

    mod_gzip_item_include mime      ^text/.*

    mod_gzip_item_include mime      ^application/x-javascript.*

    mod_gzip_item_exclude mime      ^image/.*

    mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

</IfModule>
#AESECURE_COMPRESSION_END



#Uncomment if want to force HTTPS and if your server can handle it

#RewriteCond %{HTTPS} off

#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}



# -------------------------------------------------------------------------

# -- Inclusion of the aeSecure Premium htaccess (only for Premium users) --



# Tell to the browser that .gz files should be first unzip then processed as html/css/js depending on the first extension



<IfModule mod_headers.c>

   <FilesMatch "\.html\.gz$">

     ForceType text/html

     Header set Content-Encoding: gzip

   </FilesMatch>



   <FilesMatch "\.js\.gz$">

     ForceType text/javascript

     Header set Content-Encoding: gzip

   </FilesMatch>



   <FilesMatch "\.css\.gz$">

     ForceType text/css

     Header set Content-Encoding: gzip

   </FilesMatch>

</IfModule>



# When accessing to f.i. /assets/script.js, the server will check if a file /assets/scripts.js.gz exists and if so, sent this file instead.

# A .gz file is a compressed file



#<IfModule mod_rewrite.c>

#RewriteEngine On

#RewriteCond %{HTTP:Accept-encoding} gzip

#RewriteCond %{REQUEST_FILENAME}\.gz -s

#RewriteRule ^(.*)$ %{REQUEST_URI}.gz [R=307,L]

#</IfModule>

# -------------------------------------------------------------------------



# -------------------------------------------------------------------------

# ----------------------------- Site security -----------------------------

# -------------------------------------------------------------------------



# Activate PHP 5.4 which is more secure than older version

# Comment this line when php is no more executed but downloaded, it's the case on local webserver (localhost) or

# when your hosting company doesn't support php 5.4 yet

<IfModule mod_php5.c>

 #AddHandler application/x-httpd-php54 .php .php5 .php4 .php3.

</IfModule>



#AESECURE_FILEUPLOAD_START

#AESECURE_FILEUPLOAD_END



#AESECURE_ERRORREPORTING_START
#aeSecure 1.3

# Disable errors and warnings; don't allow the user to see them but redirect them into a logfile

<IfModule mod_php5.c>

 php_flag display_errors off

 php_flag log_errors on

 php_value track_errors on

 php_value error_log aesecure/logs/error.log

</IfModule>
#AESECURE_ERRORREPORTING_END



<IfModule mod_php5.c>



 # Be sure that these php.ini variables are correctly initialized

 php_value register_globals off



 # Disable magic_quotes (if not yet done in httpd.conf)

 php_flag magic_quotes_runtime off

 php_flag magic_quotes_sybase off



 # Set your default timezone.

 php_value date.timezone Europe/Brussels



 # Increase cookie security; reduce XSS attacks

 # http://www.php.net/manual/fr/session.configuration.php#ini.session.cookie-httponly

 # CAUSE PROBLEM WITH AUTHENTIFICATION IN JOOMLA!®  DON'T UNCOMMENT.

 #php_value session.cookie_secure true

 #php_value session.use_only_cookies true

 #php_value session.cookie_httponly true



 </IfModule>



# ------------------------------

# --- Block files/folders



<IfModule mod_rewrite.c>



 RewriteEngine On



 #AESECURE_BLOCKFILE_START

 #aesecure 1.7

 # Block direct access to these files : don't allow an url like f.i. http://yoursite/install.txt

 RewriteCond %{REQUEST_FILENAME} (boot.ini|changelog.php|changelog.txt|configuration.php|contributing.md|copyright.php|credits.php|htaccess.txt|httpd.conf|install.mysql)$ [NC,OR]

 RewriteCond %{QUERY_STRING} (boot.ini|changelog.php|changelog.txt|configuration.php|contributing.md|copyright.php|credits.php|htaccess.txt|httpd.conf|install.mysql).*$ [NC,OR]

 RewriteCond %{REQUEST_FILENAME} (install.pgsql|install.txt|joomla.xml|license.php|license.txt|maintainers.php|maintainers.txt|php.ini|phpinfo.php|readme.htm)$ [NC,OR]

 RewriteCond %{QUERY_STRING} (install.pgsql|install.txt|joomla.xml|license.php|license.txt|maintainers.php|maintainers.txt|php.ini|phpinfo.php|readme.htm).*$ [NC,OR]

 RewriteCond %{REQUEST_FILENAME} (readme.html|readme.txt|upgrade.txt|web.config.txt|web.config|wp-config.php)$ [NC,OR]

 RewriteCond %{QUERY_STRING} (readme.html|readme.txt|upgrade.txt|web.config.txt|web.config|wp-config.php).*$

 RewriteCond %{SCRIPT_FILENAME} -f

 RewriteRule .* /aesecure/accessdenied.php?s=148 [L]

 #AESECURE_BLOCKFILE_END



 # Never direct access to these files or folder (aesecure)

 # Block f.i. http://yoursite/.htaccess, http://yoursite/configuration.php, ...

 RewriteCond %{REQUEST_FILENAME} .*\.(phtm?l?|ash?x|aspx?|cfml?|cgi|pl|jsp|sql)$ [NC,OR]

 RewriteCond %{REQUEST_FILENAME} .*\.(bak|config|dll|exe|sql|ini|log|sh|inc|dist)$ [NC,OR]

 RewriteCond %{REQUEST_FILENAME} .*\.(htaccess|htaccess_old|htpasswd)$ [NC]

 RewriteCond %{SCRIPT_FILENAME} -f

 RewriteRule .* /aesecure/accessdenied.php?s=148 [L]



 # ------------------------------

 # --- Block fingerprint



 # Block &tp=1 or &tmpl=offline ...

 # Block f.i. http://yoursite/index.php?tmpl=offline

 RewriteCond %{QUERY_STRING} (^|&)tmpl=(system|offline) [NC]

 RewriteRule .* - [L]

 RewriteCond %{QUERY_STRING} (^|&)tp= [NC]

 RewriteRule .* - [F]



 # ------------------------------

 # --- Block specific querystring



 # PHP Easter Eggs

 # Block f.i. http://yoursite/index.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42 but not if 

 # the request comes from the webserver himself (=allowed on localhost and serveur (since called by Joomla backend))

 RewriteCond %{REMOTE_ADDR} !127.0.0.1

 RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC]

 RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?ccijf\.asso\.fr [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=758 [L]



 # Block out any script trying to modify a _REQUEST / PHP GLOBAL variables via URL

 # Block out any script trying to set a PHP GLOBALS variable via URL.

 # Block f.i. http://yoursite/index.php?GLOBALS=SuperMe

 RewriteCond %{QUERY_STRING} ((\?|&)GLOBALS(=|\[|\%[0-9A-Z]{0,2})?) [NC,OR]

 RewriteCond %{QUERY_STRING} ((\?|&)_REQUEST(=|\[|\%[0-9A-Z]{0,2})?) [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=654 [L]



 # Block out any script that includes a <script> tag in URL.

 # Block f.i. http://yoursite/index.php?%3Cscript%3Ealert%28%27Msg%27%29;%3C/script%3E

 # Block f.i. http://yoursite/index.php?%3Ctable%20background=%22javascript:alert(([code])%22%3E%3C/table%3E

 RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

 RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

 RewriteCond %{QUERY_STRING} ((java)?script:).*(;).* [NC,OR]   

 RewriteCond %{QUERY_STRING} .*(\&lt;script).* [NC] 

 RewriteRule .* /aesecure/accessdenied.php?s=541 [L]



 #xss blocage  For instance, a parameter on the querystring is an url (http://...)

 RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]

 # Exception : the http:// parameter has been set by the website himself.  This is the case with WordPress, f.i. 

 # because wp-admin makes a redirection to wp-login.  Allow the server IP and localhost

 RewriteCond %{REMOTE_ADDR} !127.0.0.1

 RewriteCond %{REMOTE_ADDR} !178.33.103.143

 RewriteCond %{QUERY_STRING} !option=com_akeeba&view=backup(.*)$ [NC]

 RewriteCond %{QUERY_STRING} !(.*)https?(://|%3A%2F%2F)ccijf\.asso\.fr(.*)$ [NC]   

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(s|%73|%53)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(s|%73|%53)%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)%3a(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(f|%66|%46)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)(t|%74|%54)%20(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)(t|%74|%54)(t|%74|%54)%20(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)(t|%74|%54)(t|%74|%54)(p|%70|%50)%20(%3A|:)(/|%2F){2}(.*)$ [NC,OR]

 RewriteCond %{QUERY_STRING} ^(.*)(%3D|=|%3A|%09)(.*)(h|%68|%48)%20(t|%74|%54)(t|%74|%54)(p|%70|%50)(%3A|:)(/|%2F){2}(.*)$ [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=782 [L]



 # Block out any script trying to base64_encode data within the URL.

 # Block f.i. http://yoursite/index.php?ImageName=base64_encode(%22I'm%20an%20hacker...%20Tadaaa%22)

 RewriteCond %{QUERY_STRING} .*base64_(de|en)code.* [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=345 [L]



 # Block querystring where "PHPSESSID" appears.

 RewriteCond %{QUERY_STRING} ^.*PHPSESSID.*$ [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=310 [L]



 # Redirect tentative to use the com_users standard component of Joomla and

 # redirect to Community Builder

 #RewriteCond %{QUERY_STRING} option=com_users&view=login [NC]

 #RewriteRule .* index.php?option=com_comprofiler&task=login [L]



 # Prevent use of specified methods in HTTP Request,  but allow opensiteexplorer.org to do so

 # http://bodvoc.com/index.php?option=com_content&view=article&id=43&catid=2&Itemid=3; see rule #1

 RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]

 RewriteCond %{HTTP_REFERER} !(www\.)?opensiteexplorer\.org/ [NC]

 RewriteCond %{HTTP_REFERER} !(www\.)?uptimerobot\.com/ [NC]

 RewriteCond %{HTTP_REFERER} !http://validator\.w3\.org/ [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=651 [L]



 # Block out use of illegal or unsafe characters in the HTTP Request

 # Block urls having a carriage return or linefeed in it

 # Block also urls having "wwwroot" or "public_html" in it.  Can be an hacker trying to access to a localfile

 # Block urls having "alert(", "char(", "eval(", "function(" ... 

 RewriteCond %{QUERY_STRING} .*((alert|char|eval|function|load_file)\().* [NC,OR]

 RewriteCond %{QUERY_STRING} .*(\_vti\_|crossdomain|wwwroot|public_html).* [NC,OR]

 RewriteCond %{QUERY_STRING} .*(\\r|\\n|%0A|%0D).* [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=429 [L]



 # No carriage return, line feed, escape (%27), ... in the query string

 # Block f.i. http://yoursite/index.php?value=%27

 RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%25|%27|%3C|%3E|%00).* [NC,OR]

 RewriteCond %{QUERY_STRING} ^.*((\/\*)?\*\/).* [NC,OR]

 RewriteCond %{QUERY_STRING} ^.*\|\|.* [NC]

 RewriteCond %{QUERY_STRING} !option=com_akeeba(.*)$ [NC]   # exception for Akeeba backup

 RewriteRule .* /aesecure/accessdenied.php?s=271 [L]



 # Block SQL injection tentatives

 # Block f.i. http://yoursite/index.php?%3CDROP%20TABLE%20jos_users%3E

 RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%25|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|declare|drop|update|md5|benchmark).* [NC,OR]

 RewriteCond %{QUERY_STRING} ^.*(%20)?([(])?(union|select|insert|cast|declare|group_concat|drop|update|md5|benchmark)%20.* [NC,OR] 

 RewriteCond %{QUERY_STRING} ^.*(%20|\+)(AND|OR)(%20|\+).* [NC,OR] 

 RewriteCond %{QUERY_STRING} ^.*(%20|\+)ORDER(%20|\+).* [NC,OR] 

 RewriteCond %{QUERY_STRING} ^.*%201\=1.* [NC] 

 RewriteRule .* /aesecure/accessdenied.php?s=682 [L]

 # Block urls trying to get access to the jos_ defaut prefix of Joomla 1.5

 RewriteCond %{QUERY_STRING} .*jos_.*  [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=682 [L]



 #Block functions in the querystring (f.i. String.fromCharCode)

 RewriteCond %{QUERY_STRING} ^.*string\.fromcharcode.* [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=352 [L]



 # Filter against shell attacks

 # Block f.i. http://yoursite/index.php?cmd=chmod or http://yoursite/index.php?act=tools&d=54

 # http://yoursite/index.php?page=../../../../proc/self/environ or http://yoursite/index.php?cmd=../../etc/passwd



 RewriteCond %{REQUEST_URI} .*((php|my)?shell|remview.*|phpremoteview.*|sshphp.*|pcom|nstview.*|c99|r57|webadmin.*|phpget.*|phpwriter.*|fileditor.*|locus7.*|storm7.*)\.(p?s?x?htm?l?|txt|aspx?|cfml?|cgi|pl|php[3-9]{0,1}|jsp?|sql|xml) [NC,OR]

 RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]

 RewriteCond %{QUERY_STRING} ^(.*)([-_a-z]{1,15})=(chmod|chdir|mkdir|rmdir|clear|whoami|uname|unzip|gunzip|grep|umask|telnet|ssh|ftp|mkmode|logname|edit_file|search_text|find_text|php_eval|download_file|ftp_file_down|ftp_file_up|ftp_brute|mail_file|mysql_dump|db_query)([^a-zA-Z0-9].+)*$ [OR]

 RewriteCond %{QUERY_STRING} ^work_dir=.*$ [OR]

 RewriteCond %{QUERY_STRING} ^command=.*&output.*$ [OR]

 RewriteCond %{QUERY_STRING} ^nts_[a-z0-9_]{0,10}=.*$ [OR]

 RewriteCond %{QUERY_STRING} ^c=(t|setup|codes)$ [OR]

 RewriteCond %{QUERY_STRING} ^act=((about|cmd|selfremove|chbd|trojan|backc|massbrowsersploit|exploits|grablogins|upload.*)|((chmod|f)&f=.*))$ [OR]

 RewriteCond %{QUERY_STRING} ^act=(ls|search|fsbuff|encoder|tools|processes|ftpquickbrute|security|sql|eval|update|feedback|cmd|gofile|mkfile)&d=.*$ [OR]

 RewriteCond %{QUERY_STRING} ^&?c=(l?v?i?&d=|v&fnot=|setup&ref=|l&r=|d&d=|tree&d|t&d=|e&d=|i&d=|codes|md5crack).*$ [OR]

 RewriteCond %{QUERY_STRING} ^(.*)*etc(/|%2F)passwd* [OR]

 # Windows slashes \..

 RewriteCond %{QUERY_STRING} .*(((\\|%5C)\.\.\\)+).* [OR]

 # Unix slashes /..

 RewriteCond %{QUERY_STRING} .*(((\/|%2F)\.\.)+).* [OR]

 RewriteCond %{QUERY_STRING} ^(.*)*proc\/self\/environ* [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=490 [L]

</IfModule>



#AESECURE_BLOCKHIDDENFOLDERS_START

#aesecure 2.6

# Block access to hidden files and directories.

# This includes directories used by version control systems such as Git and SVN.

<IfModule mod_rewrite.c>

 RewriteCond %{SCRIPT_FILENAME} -d [OR]

 RewriteCond %{SCRIPT_FILENAME} -f

 RewriteRule "(^|/)\." /aesecure/accessdenied.php?s=26 [L]

</IfModule>

#AESECURE_BLOCKHIDDENFOLDERS_END

#AESECURE_BLOCK_COM_USERS_START

#AESECURE_BLOCK_COM_USERS_END

#AESECURE_BADBOTS_START
#aeSecure 2.3

# ------------------------------

# --- Block bad bots and spam



# Block website "aspirator" and well known bad bots.  This list is NOT exhaustive.

<IfModule mod_setenvif.c>

 SetEnvIfNoCase ^User-Agent$ .*(aesop_com_spiderman|ahrefsbot|alexibot|backweb|bandit|batchftp|bigfoot).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(black.?hole|blackwidow|blowfish|botalot|buddy|builtbottough|bullseye).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(cheesebot|cherrypicker|chinaclaw|collector|copier|copyrightcheck).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(cosmos|crescent|curl|custo|da|diibot|disco|dittospyder|dragonfly).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(drip|easydl|ebingbong|ecatch|eirgrabber|emailcollector|emailsiphon).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(emailwolf|erocrawler|exabot|eyenetie|filehound|flashget|flunky).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(frontpage|getright|getweb|go.?zilla|go-ahead-got-it|gotit|grabnet).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(grafula|harvest|hloader|hmview|httplib|httrack|humanlinks|ilsebot).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(infonavirobot|infotekies|intelliseek|interget|iria|jennybot|jetcar).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(joc|justview|jyxobot|kenjin|keyword|larbin|leechftp|lexibot|lftp|libweb).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(likse|linkscan|linkwalker|lnspiderguy|lwp|magnet|mag-net|markwatch).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(mata.?hari|memo|microsoft.?url|midown.?tool|miixpc|mirror|missigua).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(mister.?pix|mj12bot|moget|mozilla.?newt|nameprotect|navroad|backdoorbot|nearsite).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(net.?vampire|netants|netcraft|netmechanic|netspider|nextgensearchbot).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(attach|nicerspro|nimblecrawler|npbot|octopus|offline.?explorer).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(offline.?navigator|openfind|outfoxbot|pagegrabber|papa|pavuk).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(pcbrowser|php.?version.?tracker|pockey|propowerbot|prowebwalker).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(psbot|pump|queryn|recorder|realdownload|reaper|reget|rogerbot|true_robot).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(repomonkey|rma|internetseer|sitesnagger|siphon|slysearch|smartdownload).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(snake|snapbot|snoopy|sogou|spacebison|spankbot|spanner|sqworm|superbot).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(superhttp|surfbot|asterias|suzuran|szukacz|takeout|teleport).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(telesoft|the.?intraformant|thenomad|tighttwatbot|titan|urldispatcher).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(turingos|turnitinbot|urly.?warning|vacuum|vci|voideye|whacker).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(widow|wisenutbot|wwwoffle|xaldon|zeus|zyborg|anonymouse).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*web(zip|emaile|enhancer|fetch|go.?is|auto|bandit|clip|copier|master|reaper|sauger|site.?quester|whack).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(craftbot|download|extract|stripper|sucker|ninja|clshttp|webspider|leacher|collector|grabber|webpictures).* HTTP_SAFE_BADBOT

 SetEnvIfNoCase ^User-Agent$ .*(libwww-perl|aesop_com_spidermano).* HTTP_SAFE_BADBOT

 # Don't redirect to the access denied page since the user agent can't definitly access to our pages

 Order Deny,Allow

 Allow from All

 Deny from env=HTTP_SAFE_BADBOT

</IfModule>



<IfModule mod_rewrite.c>

 RewriteEngine On

 # Antispam (just populate the list of other keywords)

 # Block f.i. http://yoursite/index.php?postmsg=ejaculation i.e. any querystring that contains one "blacklisted" word

 RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b [NC,OR]

 RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b [NC,OR]

 RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b [NC,OR]

 RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|vuiton|xanax|ypxaieo)\b [NC]

 RewriteRule .* /aesecure/accessdenied.php?s=23 [L]

</IfModule>
#AESECURE_BADBOTS_END

#AESECURE_BLOCK_COMPONENTS_START

#AESECURE_BLOCK_COMPONENTS_END



# Disable Server Signature, be sure that PHP version number won't be transmitted

ServerSignature Off

# -------------------------------------------------------------------------

# -------------- IE aka Immonde Explorateur (Awful explorer)  -------------

# -------------------------------------------------------------------------



# Always force latest IE rendering engine (even in intranet) & Chrome Frame

# Read http://www.1stwebdesigner.com/design/snippets-html5-boilerplate/; X-UA-Compatible chapter

<IfModule mod_headers.c>

 <IfModule mod_setenvif.c>

    BrowserMatch MSIE ie

    Header set X-UA-Compatible "IE=Edge,chrome=1"

    # mod_headers can't match by content-type, but we don't want to send this header on *everything*...

    <FilesMatch "\.(js|css|gif|png|jpe?g|webp|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff2?|ico|webp|appcache|manifest|htc|crx|xpi|safariextz|vcf)$" >

      Header unset X-UA-Compatible

    </FilesMatch>

 </IfModule>

</IfModule>



# -------------------------------------------------------------------------

# --------------------------- Site optimization ---------------------------

# -------------------------------------------------------------------------



#AESECURE_HOTLINKING_START

#AESECURE_HOTLINKING_END



<IfModule mod_rewrite.c>

 # Browsers trying to access to the site favicon from a bad locations...  This will generate 404 pages

 # and entries in logfiles; avoid this. Redirect to the good file

 #--- Commented because need to first verify if the querystring points to favicon or not.

 #--- need to verify too the existence of the /templates/favicon.ico file first

 #RewriteCond %{REQUEST_URI} !^/favicon\.ico [NC]

 #RewriteCond %{REQUEST_URI} favicon\.ico    [NC]

 #RewriteRule (.*) http://%{HTTP_HOST}/templates/favicon.ico [R=301,L]

</IfModule>



#AESECURE_WITHORNOTWWW_START

#AESECURE_WITHORNOTWWW_END



# Everything will be, by default, in utf-8, in French

AddDefaultCharset UTF-8

DefaultLanguage fr-FR



<IfModule mod_mime.c>

 AddType image/svg+xml .svg .svgz .svg.gz

 AddType application/x-gzip .gz .gzip

 AddType text/css .css.gz

 AddType text/html .html.gz .htm.gz

 AddType image/x-icon .ico.gz .icon.gz

 AddType text/plain .txt.gz

 AddType text/json .json.gz

 AddType text/xml .xml.gz

 AddType application/xslt+xml .xsl.gz

 AddType application/javascript .js.gz

 AddCharset utf-8 .atom .css .js .json .rss .xml .css.gz .htm.gz .html.gz .js.gz .xml.gz

</IfModule>



#AESECURE_PAGESPEED_START

#AESECURE_PAGESPEED_END

#AESECURE_EXPIREBYTYPE_START
#aeSecure 8.3

<IfModule mod_headers.c>

   # Keep the connection alive (not really related to expirations but really increase download speed

   Header set Connection keep-alive

</IfModule>



<IfModule mod_expires.c>



   ExpiresActive On



   # Default expiration: 1 hour after request

   ExpiresDefault "now plus 1 hour"



   # CSS and JS expiration

   ExpiresByType text/css "access 1 month"

   ExpiresByType text/javascript "access 1 month"

   ExpiresByType application/javascript "access 1 month"

   ExpiresByType application/x-javascript "access 1 month"



   # htc files  (css3pie)

   ExpiresByType text/x-component         "access 1 month"



   # rss feed

   ExpiresByType application/rss+xml       "access 4 hour"



   # webfonts

   ExpiresByType font/truetype             "access 1 year"

   ExpiresByType font/opentype             "access 1 year"

   ExpiresByType application/x-font-woff   "access 1 year"

   ExpiresByType image/svg+xml             "access 1 year"

   ExpiresByType application/vnd.ms-fontobject "access 1 year"

   ExpiresByType application/x-font-ttf    "access 1 year"



   # Image files expiration

   AddType image/vnd.microsoft.icon .cur

   ExpiresByType image/svg+xml "access 1 month"

   ExpiresByType image/gif "access 1 month"

   ExpiresByType image/jpg "access 1 month"

   ExpiresByType image/jpeg "access 1 month"

   ExpiresByType image/png "access 1 month"

   ExpiresByType image/webp "access 1 month"

   ExpiresByType image/vnd.microsoft.icon "access 1 year"

   ExpiresByType image/x-icon "access 1 year"

   ExpiresByType image/ico "access 1 year"

   ExpiresByType image/icon "access 1 year"

   ExpiresByType text/ico "access 1 year"

   ExpiresByType application/ico "access 1 year"



   # Flash

   ExpiresByType application/x-shockwave-flash "access plus 2 months"

   ExpiresByType image/swf "access plus 2592000 seconds"



   # Files

   ExpiresByType application/pdf "access 1 week"

   ExpiresByType application/x-gzip "access 1 month"



</IfModule>



# Perhaps the MIME type of SWF is incorrect, in this case, the FileMatch will do the job

<IfModule mod_headers.c>

   <FilesMatch "\.(swf)$">

      Header set Expires "access plus 2592000 seconds"

   </FilesMatch>

</IfModule>


#AESECURE_EXPIREBYTYPE_END

#AESECURE_MINIFY_START

#AESECURE_MINIFY_END

#AESECURE_BOTSNOARCHIVE_START
#aeSecure 2.5

# Don't allow search engines to index somes files based on their extensions

<FilesMatch "\.(accdb|doc|docx|mdb|ppt|pptx|xls|xlsx|zip)$">

 <IfModule mod_headers.c>

  Header set X-Robots-Tag "noindex, noarchive"

 </IfModule>

</FilesMatch>
#AESECURE_BOTSNOARCHIVE_END

#AESECURE_BLOCKROBOTSTXT_START
#aeSecure 2.7

<IfModule mod_rewrite.c>

 # Block curious who try to get access to the robots.txt file from an url.

 RewriteEngine On

 RewriteRule robots.txt$ /aesecure/setup.php?r=1 [L]

</IfModule>
#AESECURE_BLOCKROBOTSTXT_END



## force the latest IE version, in various cases when it may fall back to IE7 mode

## github.com/rails/rails/commit/123eb25#commitcomment-118920

## Use ChromeFrame if it's installed for a better experience for the poor IE folk

<IfModule mod_headers.c>



  # Just for the fun, doesn't have any impact.

  Header set Protected-by "aesecure (c) Christophe Avonture"



  # In case of, remove the X-Powered-By which reveal the PHP version number running on the server

  Header unset X-Powered-By



  # Disable ETags (French explanations : http://www.takeitweb.fr/blog/configurer-etags.html)

  Header unset ETag

  FileEtag None



</IfModule>



<IfModule mod_headers.c>

 ## Because X-UA-Compatible isn't sent to non-IE (to save header bytes),

 ## We need to inform proxies that content changes based on UA

 Header append Vary User-Agent

 ## Cache control is set only if mod_headers is enabled, so that's unncessary to declare

</IfModule>



#AESECURE_REDIRECTIONS_START

#AESECURE_REDIRECTIONS_END



# Include your manual changes here below

#AESECURE_OLDHTACCESS_START
#aeSecure 1.4
SetEnv TZ Europe/Paris



#AuthUserFile /var/www/sites/ccijf.asso.fr/ccijf/.htpasswd

#AuthGroupFile /dev/null

#AuthName "Input your ID and Password."

#AuthType Basic



#require valid-user



#<Files ~ "^.(htpasswd|htaccess)$">

#    deny from all

#</Files>



#php_value mbstring.language neutral

#php_flag output_buffering off



RewriteEngine On

RewriteRule ^index.php/ja/about-ccijf-list/about-ccijf-07/9-about-ccijf-09(.*) http://www.ccijf.asso.fr/ccijf/index.php/ja/about-ccijf/about-ccijf-07/about-ccijf-09 [R=301,L]

RewriteRule ^index.php/ja/infos-membres/38-infos-membres-01(.*) http://www.ccijf.asso.fr/ccijf/index.php/ja/infos-membres/infos-membres-01 [R=301,L]
#AESECURE_OLDHTACCESS_END



#AESECURE_REWRITE_START
#aeSecure 7.1

<IfModule mod_rewrite.c>



 RewriteEngine On



 # Joomla! core SEF Section

 # Workaround for HTTP authorization in CGI environment

 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]



 # If the requested path and file is not /index.php and the request

 # has not already been internally rewritten to the index.php script

 RewriteCond %{REQUEST_URI} !^/index\.php



 # and the request is for something within the component folder,

 # or for the site root, or for an extensionless URL, or the

 # requested URL ends with one of the listed extensions

 RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$ [NC]



 # Never rewrite for existing files, directories and links

 RewriteCond %{REQUEST_FILENAME} !-f

 RewriteCond %{REQUEST_FILENAME} !-d

 RewriteCond %{REQUEST_FILENAME} !-l



 # internally rewrite the request to the index.php script

 RewriteRule .* index.php [L]



</IfModule>
#AESECURE_REWRITE_END