RewriteEngine On
DirectoryIndex index.html
# =====================================================
# FORCE HTTPS FIRST
# =====================================================
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# =====================================================
# BASIC PROTECTION
# =====================================================
Options -Indexes
Require all denied
# =====================================================
# BLOCK BAD BOTS EARLY
# =====================================================
RewriteCond %{HTTP_USER_AGENT} (MJ12bot|AhrefsBot|SemrushBot|HTTrack|WebCopier|Wget|SiteSucker|BlackWidow|Teleport|Offline|EmailCollector|EmailSiphon|WebReaper) [NC]
RewriteRule ^ - [F,L]
# =====================================================
# ALLOW SPECIFIC ACCESS
# =====================================================
# Allow root and index
RewriteCond %{REQUEST_URI} ^/$ [OR]
RewriteCond %{REQUEST_URI} ^/index\.html$ [NC]
RewriteRule .* - [L]
# Allow installer file
RewriteCond %{REQUEST_URI} ^/installer/OctInstall\.rar$ [NC]
RewriteRule .* - [L]
# Allow updater file (oct3.exe)
RewriteCond %{REQUEST_URI} ^/oct3\.exe$ [NC]
RewriteRule .* - [L]
# Allow specific PHP endpoint (login)
RewriteCond %{REQUEST_URI} ^/formations/connectSystem\.php$ [NC]
RewriteRule .* - [L]
# Allow process.php (ECU upload)
RewriteCond %{REQUEST_URI} ^/process\.php$ [NC]
RewriteRule .* - [L]
# =====================================================
# TICKET SYSTEM ENDPOINTS
# =====================================================
# Allow ticket.php (client endpoint : create/message/fetch/list)
RewriteCond %{REQUEST_URI} ^/ticket\.php$ [NC]
RewriteRule .* - [L]
# Allow upload.php (si tu as un endpoint séparé d'upload)
RewriteCond %{REQUEST_URI} ^/upload\.php$ [NC]
RewriteRule .* - [L]
# Allow download.php (téléchargement sécurisé des fichiers solutions)
RewriteCond %{REQUEST_URI} ^/download\.php$ [NC]
RewriteRule .* - [L]
# Allow admin_reply.php (endpoint admin : login/reply/close)
RewriteCond %{REQUEST_URI} ^/admin_reply\.php$ [NC]
RewriteRule .* - [L]
# Allow admin.html (panel admin web)
RewriteCond %{REQUEST_URI} ^/admin\.html$ [NC]
RewriteRule .* - [L]
# =====================================================
# ALLOW STATIC ASSETS
# =====================================================
RewriteCond %{REQUEST_URI} \.(?:css|js|mjs|png|jpg|jpeg|gif|webp|svg|ico|woff|woff2|ttf|eot|pdf|mp4|webm|ogg)$ [NC]
RewriteRule .* - [L]
# =====================================================
# BLOCK EVERYTHING ELSE
# Autorise OneClickTune (logiciel Qt) ET les navigateurs web (admin.html)
# =====================================================
RewriteCond %{HTTP_USER_AGENT} !OneClickTune [NC]
RewriteCond %{HTTP_USER_AGENT} !Mozilla [NC]
RewriteRule .* - [F,L]
# =====================================================
# BLOCK SENSITIVE FILE TYPES
# =====================================================
Require all denied
# Exception : autoriser OctInstall.rar malgré la règle ci-dessus
Require all granted
# =====================================================
# PROTECT SENSITIVE DIRECTORIES
# =====================================================
# Bloquer l'accès direct au dossier tickets/ (fichiers clients)
RewriteRule ^tickets/ - [F,L]
# Bloquer l'accès direct au dossier uploads/ (fichiers ECU)
RewriteRule ^uploads/ - [F,L]
# Bloquer l'accès au dossier patchs/ (JSON de solutions)
RewriteRule ^patchs/ - [F,L]
# =====================================================
# SECURITY HEADERS
# =====================================================
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Cross-Origin-Resource-Policy "same-site"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "DENY"
# CSP assouplie pour laisser admin.html appeler les endpoints PHP en AJAX
Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; media-src 'self'; manifest-src 'self'; upgrade-insecure-requests"
# =====================================================
# COMPRESSION
# =====================================================
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
# =====================================================
# LIMIT REQUEST SIZE (55 Mo pour supporter les gros bin ECU + marge)
# =====================================================
LimitRequestBody 57671680