Open J0WI opened 5 years ago
I hope it is okay if I apply your changes speratly as I'd like to keep an overview over all lines
Sure, that was the idea.
X-Frame-Options is already sent by Matomo
It's more secure to add this in the server config, because this is harder to compromise and it doesn't depend on PHP. fastcgi_hide_header X-Content-Type-Options;
can be used to avoid duplicates.
Any reason for removing the /.ht section?
This is now covered by \.
which denies access to all dotfiles.
Any reason why the .well-known is allowed explicitly? Matomo doesn't really use it and for let's encrypt I think it needs to be in the HTTP section
All HTTP requests are rewritten to HTTPS, so acme challenge would be blocked.
You can also merge it with the default_type text/plain
section if you like.
I hope it is okay if I apply your changes speratly as I'd like to keep an overview over all lines and am not sure about all lines:
/\.ht
section?plugins/HeatmapSessionRecording/configs.php
is a great idea, thanksconfig|tmp|core|lang
andlibs|vendor|plugins|misc/user
is intentional. This way js, css, etc. are allowed from the plugins but not from the tmp directory.