The .htaccess file

Panopticon ships with a file called htaccess.txt. If you are using Apache 2.2 or later (preferably Apache 2.4) as your web server and you are accessing Panopticon over HTTP you should rename this file to .htaccess.

This .htaccess file enables the following optional, but very welcome, security and performance features:

• Disables listing the files of arbitrary subdirectories.
• Blocks access to internal directories with no web-accessible content e.g. cache, tmp, vendor, ViewTemplates and so on.
• Sets up Content-Security-Policy, X-Frame-Options, X-XSS-Protection, and X-Content-Type HTTP headers to tighten the security of your Panopticon installation.
• Automatically compresses static media files with Brotli (preferred, if available), or Gzip.
• Disables the X-Powered-By and X-Content-Powered-By headers.
• Enables HSTS (the HTTP Strict-Transport-Security header) to force your installation be accessed over HTTPS.
• Disables the HTTP method TRACE which is not used by Panopticon and could be abused for Cross Site Tracking.
• Sets the default output character set to UTF-8 so that your browser can display pages correctly, even on misconfigured installations of PHP.

Caveats

The included .htaccess content requires Apache's mod_rewrite module to be enabled. If this is not the case, you will be unable to access your installation. In this case, delete the .htaccess file.

The included .htaccess content is compatible with Apache 2.2, and Apache 2.4. It seems to be working fine with Litespeed. However, it will not work correctly with OpenLitespeed. Unlike Litespeed proper, OpenLitespeed does NOT support the full range of .htaccess directives, leading to problems. If you have a problem using Panopticon with OpenLitespeed delete the .htaccess file, or switch to either Apache (free) or Litespeed (commercial, for a fee).

The included .htaccess content is written with the assumption that your Panopticon installation is accessible over HTTPS. This is the only recommended setup for security reasons. If you have some fringe use case where this is not the case, e.g. you use a standalone SSL/TLS Terminator in front of Apache, you will have to edit the file manually. Please do not ask for assistance; if you have such a use case you should be more than comfortable editing a .htaccess file.

The .htaccess files are NOT supported by NginX and Microsoft Internet Information Services (ISS) web servers. We do not have plans on porting our .htaccess content to NginX and/or IIS. Users of these servers need to be technically adept, or work with such a person, therefore they can configure their server themselves.