.htaccess と web.config の見直し

.htaccess

@@ -1,11 +1,11 @@
 DirectoryIndex index.php index.html .ht
 
-<FilesMatch "^composer|^autoload|^cli-config|^COPYING|\.(ini|lock|dist|git|sh|bak|swp)$">
+<FilesMatch "^composer|^COPYING|^\.env|^Procfile|^app\.json|^gulpfile\.js|^package\.json|^package-lock\.json|web\.config|\.(ini|lock|dist|git|sh|bak|swp|env|twig|yml|yaml)$">
     order allow,deny
     deny from all
 </FilesMatch>
 
-<Files ~ "index.php|index_dev.php">
+<Files ~ "index.php">
     order deny,allow
     allow from all
 </Files>
@@ -24,7 +24,7 @@ Header set X-Content-Type-Options nosniff
     #Options +FollowSymLinks +SymLinksIfOwnerMatch
 
     RewriteEngine On
-
+    
     # Authorization ヘッダが取得できない環境への対応
     RewriteCond %{HTTP:Authorization} ^(.*)
     RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]
@@ -33,6 +33,16 @@ Header set X-Content-Type-Options nosniff
     # RewriteCond %{HTTP:x-sakura-forwarded-for} !^$
     # RewriteRule ^(.*) - [E=HTTPS:on]
 
+    RewriteRule "^\.git" - [F]
+    RewriteRule "^src/" - [F]
+    RewriteRule "^app/" - [F]
+    RewriteRule "^tests/" - [F]
+    RewriteRule "^var/" - [F]
+    RewriteRule "^vendor/" - [F]
+    RewriteRule "^node_modules/" - [F]
+    RewriteRule "^codeception/" - [F]
+    RewriteRule "^bin/" - [F]
+
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !^(.*)\.(gif|png|jpe?g|css|ico|js|svg|map)$ [NC]
     RewriteRule ^(.*)$ index.php [QSA,L]

bin/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

codeception/.htaccess

@@ -0,0 +1,2 @@
+order allow,deny
+deny from all

web.config

@@ -5,17 +5,27 @@
     <directoryBrowse enabled="false" />
     <rewrite>
       <rules>
-        <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(app|src)$" />
-          <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
-        </rule>
         <rule name="Force simple error message for requests for non-existent favicon.ico" stopProcessing="true">
           <match url="favicon\.ico" />
           <conditions>
               <add input="{REQUEST_FILENAME}" matchType="IsFile" ignoreCase="false" negate="true" />
           </conditions>
           <action type="CustomResponse" statusCode="404" subStatusCode="1" statusReason="File Not Found" statusDescription="The requested file favicon.ico was not found" />
         </rule>
+        <rule name="hidden to vendor" stopProcessing="true">
+        <match url="^vendor/" />
+          <conditions>
+              <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
+          </conditions>
+          <action type="CustomResponse" statusCode="403" subStatusCode="1" statusReason="Access Forbidden" />
+        </rule>
+        <rule name="hidden to node_modules" stopProcessing="true">
+        <match url="^node_modules/" />
+          <conditions>
+              <add input="{REQUEST_FILENAME}" matchType="IsDirectory" ignoreCase="false" negate="true" />
+          </conditions>
+          <action type="CustomResponse" statusCode="403" subStatusCode="1" statusReason="Access Forbidden" />
+        </rule>
         <!-- Rewrite URLs of the form 'x' to the form 'index.php/x'. -->
         <rule name="Short URLs" stopProcessing="true">
           <match url="^(.*)$" ignoreCase="false" />
@@ -28,37 +38,48 @@
         </rule>
       </rules>
     </rewrite>
-    
+
     <security>
       <requestFiltering>
         <hiddenSegments>
-          <add segment="app"/>
-          <add segment="src"/>
-          <add segment="vendor"/>
-          <add segment="tests"/>
+          <add segment="app" />
+          <add segment="src" />
+          <add segment="tests" />
+          <add segment="var" />
+          <add segment="codeception" />
+          <add segment="bin" />
         </hiddenSegments>
         <denyUrlSequences>
           <add sequence="composer" />
           <add sequence="autoload" />
-          <add sequence="cli-config" />
           <add sequence="COPYING" />
+          <add sequence=".env" />
+          <add sequence=".htaccess" />
+          <add sequence="Procfile" />
+          <add sequence="/app.json" />
+          <add sequence="/gulpfile.js" />
+          <add sequence="/package.json" />
+          <add sequence="/package-lock.json" />
+          <add sequence=".git" />
+          <!-- see https://technet.microsoft.com/ja-jp/library/ee431583.aspx#EEA -->
+          <add sequence=".." />
+          <add sequence=":" />
+          <add sequence="\" />
         </denyUrlSequences>
         <fileExtensions>
           <add fileExtension=".ini" allowed="false" />
           <add fileExtension=".lock" allowed="false" />
           <add fileExtension=".dist" allowed="false" />
-          <add fileExtension=".git" allowed="false" />
           <add fileExtension=".sh" allowed="false" />
           <add fileExtension=".bak" allowed="false" />
           <add fileExtension=".swp" allowed="false" />
+          <add fileExtension=".yaml" allowed="false" />
+          <add fileExtension=".yml" allowed="false" />
+          <add fileExtension=".twig" allowed="false" />
+          <add fileExtension=".cache" allowed="false" />
         </fileExtensions>
       </requestFiltering>
     </security>
-
-    <httpErrors>
-      <remove statusCode="404" subStatusCode="-1" />
-      <error statusCode="404" prefixLanguageFilePath="" path="/index.php" responseMode="ExecuteURL" />
-    </httpErrors>
 
     <defaultDocument>
       <!-- Set the default document -->
@@ -69,4 +90,3 @@
     </defaultDocument>
   </system.webServer>
 </configuration>
-