### ===========================================================================
### Security Enhanced & Highly Optimized .htaccess File for Joomla!
### automatically generated by Admin Tools 7.6.1 on 2024-11-20 09:25:26 PST
### Auto-detected Apache version: 2.5 (best guess)
### ===========================================================================
###
### The contents of this file are based on the same author's work "Master
### .htaccess".
###
### Admin Tools is Free Software, distributed under the terms of the GNU
### General Public License version 3 or, at your option, any later version
### published by the Free Software Foundation.
###
### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! IMPORTANT !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
### !!                                                                       !!
### !!  If you get an Internal Server Error 500 or a blank page when trying  !!
### !!  to access your site, remove this file and try tweaking its settings  !!
### !!  in the back-end of the Admin Tools component.                        !!
### !!                                                                       !!
### !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
###

##### RewriteEngine enabled - BEGIN
RewriteEngine On
##### RewriteEngine enabled - END

# PHP FastCGI fix for HTTP Authorization
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
##### RewriteBase set - BEGIN
RewriteBase /
##### RewriteBase set - END

##### Custom Rules (Top of File) -- BEGIN
Redirect 301 /img/icons.png https://transformingteachers.org/components/com_jce/editor/tiny_mce/themes/advanced/img/icons.png

##### Custom Rules (Top of File) -- END

##### File execution order -- BEGIN
DirectoryIndex index.php index.html
##### File execution order -- END

##### No directory listings -- BEGIN
IndexIgnore *
Options -Indexes
##### No directory listings -- END

##### Redirect index.php to / -- BEGIN
RewriteCond %{THE_REQUEST} !^POST
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
RewriteRule ^index\.php$ / [R=301,L]
##### Redirect index.php to / -- END
##### Redirect www to non-www -- BEGIN
# HTTP
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
# HTTPS
RewriteCond %{HTTPS} =on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} !=http
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
##### Redirect www to non-www -- END

##### Rewrite rules to block out some common exploits -- BEGIN
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F]
##### Rewrite rules to block out some common exploits -- END
##### File injection protection -- BEGIN
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http[s]?:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
##### File injection protection -- END

##### Advanced server protection rules exceptions -- BEGIN
RewriteRule ^administrator\/components\/com_akeeba\/restore\.php$ - [L]
RewriteRule ^administrator\/components\/com_joomlaupdate\/restore\.php$ - [L]
RewriteRule ^administrator\/components\/com_akeebabackup\/restore\.php$ - [L]
RewriteRule ^administrator\/components\/com_joomlaupdate\/extract\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^\.well\-known/ - [L]
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^js/ - [L]
RewriteCond %{REQUEST_FILENAME} !(\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^component\/osmap/ - [L]
RewriteRule ^templates\/t3_bs3_blank/ - [L]
RewriteRule ^t3\-assets/ - [L]
##### Advanced server protection rules exceptions -- END

##### Advanced server protection -- BEGIN

#### Back-end protection
RewriteRule ^administrator/?$ - [L]
RewriteRule ^administrator/index\.(php|html?)$ - [L]
RewriteRule ^administrator/(components|modules|templates|images|plugins)/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$ - [L,NC]
RewriteRule ^administrator/ - [F]
#### Front-end protection
## Allow limited access to additional TinyMCE plugins' HTML files
RewriteRule ^media/plg_editors_tinymce/js/plugins/.*\.(htm|html)$ - [L,NC]
## Allow limited access for certain directories with client-accessible content
RewriteRule ^(components|modules|templates|images|plugins|media|libraries|media/jui/fonts)/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|ico|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$ - [L,NC]
RewriteRule ^(components|modules|templates|images|plugins|media|libraries|media/jui/fonts)/ - [F]
## Disallow front-end access for certain Joomla! system directories (unless access to their files is allowed above)
RewriteRule ^includes/js/ - [L]
RewriteRule ^(cache|includes|language|logs|log|tmp)/ - [F]
RewriteRule ^(configuration\.php|CONTRIBUTING\.md|htaccess\.txt|joomla\.xml|LICENSE\.txt|phpunit\.xml|README\.txt|web\.config\.txt) - [F]

## Explicitly allow access to the site's index.php main entry point file
RewriteRule ^index.php(/.*){0,1}$ - [L]
## Explicitly allow access to the API application's index.php main entry point file
RewriteRule ^api/index.php(/.*){0,1}$ - [L]
## Explicitly allow access to the site's robots.txt file
RewriteRule ^robots.txt$ - [L]

## Disallow access to all other PHP files throughout the site, unless they are explicitly allowed
RewriteCond %{REQUEST_FILENAME} (\.php)$
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (.*\.php)$ - [F]
#### Disable client-side risky behavior in backend static content
SetEnvIf Request_URI "^/administrator/(components|modules|templates|images|plugins)/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$" disable_risky_behaviour
##### Always allow TinyMCE plugin files to load scripts (they need to)
SetEnvIf Request_URI "^/media/plg_editors_tinymce/js/plugins/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$" !disable_risky_behaviour

##### Advanced server protection rules exceptions also bypass the “disable client-side risky behavior” features -- BEGIN
SetEnvIf Request_URI "^/administrator\/components\/com_akeeba\/restore\.php$" !disable_risky_behaviour
SetEnvIf Request_URI "^/administrator\/components\/com_joomlaupdate\/restore\.php$" !disable_risky_behaviour
SetEnvIf Request_URI "^/administrator\/components\/com_akeebabackup\/restore\.php$" !disable_risky_behaviour
SetEnvIf Request_URI "^/administrator\/components\/com_joomlaupdate\/extract\.php$" !disable_risky_behaviour
SetEnvIf Request_URI "^/\.well\-known/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$" !disable_risky_behaviour
SetEnvIf Request_URI "^/js/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$" !disable_risky_behaviour
SetEnvIf Request_URI "^/component\/osmap/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$" !disable_risky_behaviour
SetEnvIf Request_URI "^/templates\/t3_bs3_blank/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$" !disable_risky_behaviour
SetEnvIf Request_URI "^/t3\-assets/.*\.(7z|CSS|EOT|GIF|JPEG|JPG|JS|PNG|TTF|WEBP|WOFF|WOFF2|avi|bmp|css|doc|docx|eot|flv|gif|htm|html|jp2|jpe|jpe2|jpeg|jpg|js|mov|mp3|mp4|mpeg|mpg|odp|ods|odt|ogg|ogv|pdf|png|ppt|pptx|rar|svg|swf|ttf|txt|wav|webp|woff|woff2|xls|xlsx|xml|xps|xsl|zip)$" !disable_risky_behaviour
##### Advanced server protection rules exceptions also bypass the “disable client-side risky behavior” features -- END


# Apply the "Disable client-side risky behavior" features
Header always set Content-Security-Policy "default-src 'self'; script-src 'none';" env=disable_risky_behaviour
## Disallow access to htaccess.txt, php.ini, .user.ini and configuration.php-dist
RewriteRule ^(htaccess\.txt|configuration\.php-dist|php\.ini|\.user\.ini)$ - [F]
# Disallow access to all other front-end folders
RewriteCond %{REQUEST_FILENAME} -d
RewriteCond %{REQUEST_URI} !^/
RewriteRule .* - [F]

# Disallow access to all other front-end files
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule !^index.php$ - [F]
## Reduce MIME type security risks
<IfModule mod_headers.c>
	Header set X-Content-Type-Options "nosniff"
</IfModule>
## Reflected XSS prevention
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>

# mod_headers cannot match based on the content-type, however,
# the X-XSS-Protection response header should be sent only for
# HTML documents and not for the other resources.

<IfModule mod_headers.c>
	<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
		Header unset X-XSS-Protection
	</FilesMatch>
</IfModule>
## Remove Apache and PHP version signature
<IfModule mod_headers.c>
	Header always unset X-Powered-By
	Header always unset X-Content-Powered-By
</IfModule>

ServerSignature Off
## Prevent content transformation
<IfModule mod_headers.c>
	Header merge Cache-Control "no-transform"
</IfModule>
##### Advanced server protection -- END

## Referrer-policy
<IfModule mod_headers.c>
	Header always set Referrer-Policy "unsafe-url"
</IfModule>
## Set the UTF-8 character set as the default
#  Serve all resources labeled as `text/html` or `text/plain`
#  with the media type `charset` parameter set to `UTF-8`.

AddDefaultCharset utf-8

# Serve the following file types with the media type `charset`
# parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset

<IfModule mod_mime.c>
	AddCharset utf-8 .atom \
					 .bbaw \
					 .css \
					 .geojson \
					 .js \
					 .json \
					 .jsonld \
					 .rdf \
					 .rss \
					 .topojson \
					 .vtt \
					 .webapp \
					 .xloc \
					 .xml
</IfModule>
##### Joomla! core SEF Section -- BEGIN
# -- SEF URLs for the API application
RewriteCond %{REQUEST_URI} ^/api/
RewriteCond %{REQUEST_URI} !^/api/index\.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* api/index.php [L]

# -- SEF URLs for the public frontend application
##### Joomla! core SEF Section -- BEGIN
RewriteCond %{REQUEST_URI} !^/index\.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L]
##### Joomla! core SEF Section -- END



Header always append Content-Security-Policy "frame-ancestors 'self' https://transformational.education/ https://*.transformational.education;"

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php8_module>
   php_flag display_errors Off
   php_value error_reporting E_ALL & ~E_NOTICE & ~E_DEPRECATED
   php_value max_execution_time 30
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 128M
   php_value post_max_size 60M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php82"
   php_value upload_max_filesize 60M
   php_flag zlib.output_compression Off
</IfModule>
<IfModule lsapi_module>
   php_flag display_errors Off
   php_value error_reporting E_ALL & ~E_NOTICE & ~E_DEPRECATED
   php_value max_execution_time 30
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 128M
   php_value post_max_size 60M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php82"
   php_value upload_max_filesize 60M
   php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php82” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php82 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
