.htaccess configuration

[danielbachhuber]

Because the .htaccess file is a part of many hosts' web server configuration, we should have some recommended dos and don'ts.

For instance, to prevent situations like this (not to call SiteGround out):

Found the source. In our case, Siteground had put the following block in our .htaccess file

# Block Request Method #
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|options|put|trace|track) [NC]
RewriteRule .* - [F]

This was the root cause of the issue. I hadn't had the opportunity to attempt anything to prove the case, but I assume the DELETE and OPTIONS methods would have also failed.

Even better would be some form of automated checker :)

From https://github.com/WordPress/gutenberg/issues/2704#issuecomment-329231370

[jadonn]

This kind of problem crops up with ModSecurity, too. It probably would be worthwhile to factor that in when checking for blocks on the request method. Folks used to think restricting the HTTP methods your server can do makes the server more secure. There might be something to some of that for some methods, but I think the "standard" ModSecurity config only allows GET, POST, OPTIONS, and HEAD