我的 .htaccess 文件中有以下块
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
</IfModule>
我希望这会阻止 OPTIONS / TRACK 和 TRACE 请求,但允许 HTTP 请求。
当我浏览
myserver.com
我明白了
Forbidden
You don't have permission to access / on this server.
但是,当我访问
myserver.com/SubPage
页面加载?它有点奇怪,我希望有更多的一致性。它是一个在 Apache /MySQL 实现上运行的 Wordpress 站点。
我的 .htccess 文件如下
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
**#RewriteRule %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)**
**#RewriteRule .* - [F]**
</IfModule>
# END WordPress
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header always set Referrer-Policy "same-origin"
Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self' http://myserver.com/"
Header set X-Content-Type-Options nosniff
Header unset X-Powered-By
Header unset X-Pingback
Header unset SERVER
Header set Referrer-Policy: strict-origin-when-cross-origin
</IfModule>
# Protect sensitive files
<FilesMatch "^(wp-config.php|license.txt|readme.html)">
Order Allow,Deny
Deny from all
</FilesMatch>
# protect phpinfo
<Files php-info.php>
Order Deny,Allow
Deny from all
</Files>
# Block User ID Phishing Requests
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* http://www.myserver,com/? [L,R=302]
</IfModule>