Update .htaccess for better security and caching

[atishhamte]

Update .htaccess for better security and caching

Added a few points like,

• Disable directory access
• CORS setting
• Disable image hotlinking
• Disable server signature
• mod expires for caching
• Added GZip and DEFLATE types

Checklist:

• Securely signed commits
• Conforms to style guide

[msaladna]

This PR needs a rework. htaccess changes should be limited to what's necessary for the application to work as intended. Anything extraneous needs to be the discretion of the person managing the server, including hotlinking - not the application that should be as neutral as possible.

For example, Options All implies all options are enabled, including +FollowSymLinks and +SymLinksIfOwnerMatches. Not all platforms permit +FollowSymLinks because in multi-user environments it can lead to some really nasty side-channel attacks with linking index.foo to say config.php where index.foo is the web user, config.php is the system user. Enabling such a directive in a secure environments yields a 550 ISE.

Edit: a nastier example is when mod_includes is loaded, default with CentOS/RHEL 7+ at least. You can use SSI to side-step +SymLinksIfOwnerMatches using <!--#include virtual="victim" --> where victim is a symlink to another file on the filesystem. Only discretionary access controls restrict access.

ServerSignature should be deferred to the admin configuring the server. In reverse proxy environments it would be useful to keep this on to see which node in the chain yielded an error.

ExpiresDefault already specifies 1 month as its base. No need to duplicate directives that must be evaluated serially on every request. Keep the htaccess terse if you want maintainability.

AddOutputFilterByType DEFLATE will also take care of compression (and a far better option), but again this should be at the discretion of the global server configuration not the application. No need to also compress with mod_gzip unless you're running < Apache 2.0, but if so you have much bigger problems.

[lonnieezell]

I believe hotlinking check has been removed. We'd welcome a PR to take care of all of that.

[msaladna]

Jettison the merge.

This is a framework, not an all-in-one systems management platform. Follow Postel's Law. Do the least that is necessary for CI to work and leave the rest to the user how they want to configure the environment.

• Do you really want newcomers asking why their svg isn't updating?
• Do you really need to support IE8?
• Do you really want CI to behave much differently behind Nginx than Apache?

[Paradinight]

I would remove the .htaccess file completely. it is not the framework task.
short: we are not wordpress or an other cms.