Improved .htaccess security and readability

[Raruto]

List of changes

• added section comments
• added deny rules for the following files:
  • composer\.(json|lock)
  • package\.json
  • (README|CONTRIBUTING)\.md
  • Dockerfile
  • LICENSE
  • "hidden" files and directories (whose names begin with a period)
• removed multiple <Files> statement in favor of a single <Filesmatch> statement

---

Additional info

For those interested in deepening I suggest you start reading one of the following examples:

• h5bp/.htaccess (on which I think cockpit's file was initially based)
• drupal/.htaccess

Have a nice Day, Raruto

[Raruto]

PS regarding these two issues:

• https://github.com/agentejo/cockpit/issues/1298#issuecomment-630339782
• https://github.com/agentejo/cockpit/issues/764

---

Some apache (shared) hosts don't allow you to override Options directives (thus getting the error 500: Options not allowed here ... within server logs):

# sample "httpd.conf" with "AllowOverride" set to "None"

<Directory "/var/www/localhost/htdocs">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

As there is no easy way to verify those directives and prevent 500 error (without access to error logs or apache config files), would it make sense to keep them both commented by default?

https://github.com/agentejo/cockpit/blob/722393b31921d5b3ee5992ade63ee9589f5b52a8/.htaccess#L30

https://github.com/agentejo/cockpit/blob/722393b31921d5b3ee5992ade63ee9589f5b52a8/.htaccess#L35

as it happens for the RewriteBase directive:

https://github.com/agentejo/cockpit/blob/722393b31921d5b3ee5992ade63ee9589f5b52a8/.htaccess#L38