phpbb3
phpBB is an Internet forum package written in the PHP scripting language. Available under the GNU General Public License, phpBB is free and open-source.
Apache
phpbb3_headers
# 16/08/2025
Header always append X-Frame-Options deny
# 2/5/2025
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
# 16/08/2025
Header always append Content-Security-Policy "frame-ancestors 'self'"
# 23/8/2025
Header always set Permissions-Policy "accelerometer=(), camera=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), usb=(), gamepad=(), serial=()"
phpbb3
# CGR 7/9/2016
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/assets/>
AddOutputFilter DEFLATE css js
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/ext/tierra/topicsolved/styles/prosilver/theme/>
AddOutputFilter DEFLATE css js
</Directory>
#
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/styles/>
AddOutputFilter DEFLATE css js
</Directory>
# special MIME type for icons
AddType image/vnd.microsoft.icon .ico
AddType application/font-woff2 .woff2
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType application/font-woff2 "access plus 7 days"
ExpiresByType application/javascript "access plus 7 days"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType application/x-javascript "access plus 7 days"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/gif "access plus 5 weeks"
ExpiresByType image/jpeg "access plus 5 weeks"
ExpiresByType image/jpg "access plus 5 weeks"
ExpiresByType image/png "access plus 5 weeks"
ExpiresByType image/x-icon "access plus 3 months"
ExpiresByType text/css "access plus 7 days"
ExpiresByType text/javascript "access plus 7 days"
# ExpiresByType text/plain "access plus 49 hours"
# now we have icon MIME type, we can use it
# my favicon doesn't change much
ExpiresByType image/vnd.microsoft.icon "access plus 3 months"
# ExpiresDefault "access plus 2 days"
</IfModule>
# https://tracker.phpbb.com/browse/PHPBB3-16226
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/bin/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/cache/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/config/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/docs/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/files/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/images/avatars/upload/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/includes/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/phpbb/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/store/>
Require all denied
</Directory>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/phpBB3/vendor/>
Require all denied
</Directory>
<Location /phpBB3/config.php>
Require all denied
</Location>
<Location /phpBB3/common.php>
Require all denied
</Location>
<Files "composer.json">
Require all denied
</Files>
<Files "composer.lock">
Require all denied
</Files>
<Files "web.config">
Require all denied
</Files>
<Directory {{ webmut_basedir }}/{{ item.name }}/public_html/ >
Options SymLinksIfOwnerMatch
AllowOverride None
RewriteEngine on
# RewriteCond %{HTTP_USER_AGENT} "^Mozilla/5.0 \(Macintosh; Intel Mac OS X 10_15_7\) AppleWebKit/605.1.15 \(KHTML, like Gecko\) Version/15.1 Safari/605.1.15" [NC,OR]
# CGR 22/12/2022
RewriteCond %{HTTP_USER_AGENT} AppleWebKit/605.1.15 [NC]
RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* - [F,L]
# CGR 17/3/2023
RewriteCond %{HTTP_USER_AGENT} okhttp [NC]
RewriteCond %{HTTP_REFERER} ^$
RewriteRule .* - [F,L]
# CGR 19/8/2025
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^https://forum.cgsecurity.org/ [NC]
RewriteRule .* - [F,L]
#
RewriteRule ^$ /phpBB3/ [R=301,L,NE]
RewriteRule ^/+$ /phpBB3/ [R=301,L,NE]
# CGR 3/3/2012
# DO NOT GO FURTHER IF THE REQUESTED FILE / DIR DOES EXISTS
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
#####################################################
# PHPBB SEO REWRITE RULES ALL MODES
#####################################################
# AUTHOR : dcz www.phpbb-seo.com
# STARTED : 01/2006
#################################
# FORUMS PAGES
###############
# FORUM INDEX REWRITERULE WOULD STAND HERE IF USED. "forum" REQUIRES TO BE SET AS FORUM INDEX
# RewriteRule ^phpBB3/forum\.html$ /phpBB3/index.php [QSA,L,NC]
# FORUM ALL MODES
RewriteRule ^phpBB3/(forum|[a-z0-9_-]*-f)([0-9]+)(-([0-9]+))?\.html$ /phpBB3/viewforum.php?f=$2&start=$4 [QSA,L,NC]
# TOPIC WITH VIRTUAL FOLDER ALL MODES
RewriteRule ^phpBB3/(forum|[a-z0-9_-]*-f)([0-9]+)/(topic|[a-z0-9_-]*-t)([0-9]+)(-([0-9]+))?\.html$ /phpBB3/viewtopic.php?f=$2&t=$4&start=$6 [QSA,L,NC]
# TOPIC WITHOUT FORUM ID & DELIM ALL MODES
RewriteRule ^phpBB3/([a-z0-9_-]*)/?(topic|[a-z0-9_-]*-t)([0-9]+)(-([0-9]+))?\.html$ /phpBB3/viewtopic.php?forum_uri=$1&t=$3&start=$5 [QSA,L,NC]
# PHPBB FILES ALL MODES
RewriteRule ^phpBB3/resources/[a-z0-9_-]+/(thumb/)?([0-9]+)$ /phpBB3/download/file.php?id=$2&t=$1 [QSA,L,NC]
# PROFILES ALL MODES WITH ID
RewriteRule ^phpBB3/(member|[a-z0-9_-]*-u)([0-9]+)\.html$ /phpBB3/memberlist.php?mode=viewprofile&u=$2 [QSA,L,NC]
# USER MESSAGES ALL MODES WITH ID
RewriteRule ^phpBB3/(member|[a-z0-9_-]*-u)([0-9]+)-(topics|posts)(-([0-9]+))?\.html$ /phpBB3/search.php?author_id=$2&sr=$3&start=$5 [QSA,L,NC]
# GROUPS ALL MODES
RewriteRule ^phpBB3/(group|[a-z0-9_-]*-g)([0-9]+)(-([0-9]+))?\.html$ /phpBB3/memberlist.php?mode=group&g=$2&start=$4 [QSA,L,NC]
# POST
RewriteRule ^phpBB3/post([0-9]+)\.html$ /phpBB3/viewtopic.php?p=$1 [QSA,L,NC]
# ACTIVE TOPICS
RewriteRule ^phpBB3/active-topics(-([0-9]+))?\.html$ /phpBB3/search.php?search_id=active_topics&start=$2&sr=topics [QSA,L,NC]
# UNANSWERED TOPICS
RewriteRule ^phpBB3/unanswered(-([0-9]+))?\.html$ /phpBB3/search.php?search_id=unanswered&start=$2&sr=topics [QSA,L,NC]
# NEW POSTS
RewriteRule ^phpBB3/newposts(-([0-9]+))?\.html$ /phpBB3/search.php?search_id=newposts&start=$2&sr=topics [QSA,L,NC]
# UNREAD POSTS
RewriteRule ^phpBB3/unreadposts(-([0-9]+))?\.html$ /phpBB3/search.php?search_id=unreadposts&start=$2 [QSA,L,NC]
# THE TEAM
RewriteRule ^phpBB3/the-team\.html$ /phpBB3/memberlist.php?mode=leaders [QSA,L,NC]
# HERE IS A GOOD PLACE TO ADD OTHER PHPBB RELATED REWRITERULES
# FORUM WITHOUT ID & DELIM ALL MODES
# THESE FOUR LINES MUST BE LOCATED AT THE END OF YOUR HTACCESS TO WORK PROPERLY
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^phpBB3/([a-z0-9_-]+)(-([0-9]+))\.html$ /phpBB3/viewforum.php?forum_uri=$1&start=$3 [QSA,L,NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^phpBB3/([a-z0-9_-]+)\.html$ /phpBB3/viewforum.php?forum_uri=$1 [QSA,L,NC]
# FIX RELATIVE PATHS : FILES
RewriteRule ^phpBB3/.+/(style\.php|ucp\.php|mcp\.php|faq\.php|download/file.php)$ /phpBB3/$1 [QSA,L,NC,R=301]
# FIX RELATIVE PATHS : IMAGES
RewriteRule ^phpBB3/.+/(styles/.*|images/.*)/$ /phpBB3/$1 [QSA,L,NC,R=301]
# END PHPBB PAGES
#####################################################
# AllowOverride FileInfo AuthConfig Limit Options
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(phpBB3/.*)$ /phpBB3/app.php [QSA,L]
</Directory>
# CGR 26/2/2012
<IfModule mod_security2.c>
# This is the ModSecurity Core Rules Set.
# Basic configuration goes in here
Include modsecurity.d/*.conf
Include modsecurity.d/base_rules/*.conf
Include modsecurity.d/modsecurity_localrules.conf
# Include modsecurity.d/activated_rules/*.conf
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none
# SecAction "phase:1,t:none,nolog,pass, \
# setvar:tx.critical_anomaly_score=30, \
# setvar:tx.error_anomaly_score=25, \
# setvar:tx.warning_anomaly_score=20, \
# setvar:tx.notice_anomaly_score=15"
SecAuditLog {{ webmut_basedir }}/{{ item.name }}/log/apache_audit.log
# SecDebugLog {{ webmut_basedir }}/{{ item.name }}/log/modsec_debug_log
# SecDebugLogLevel 4
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^[45]
# <Location "/mw">
# SecRuleRemoveById 973302
# </Location>
</IfModule>
Audit
phpbb3_check.py
#!/usr/bin/python3
import requests
site = 'https://forum.cgsecurity.org/phpBB3/'
s = requests.session()
for filename in [
'bin/',
'bin/phpbbcli.php',
'cache/',
'cache/index.htm',
'config.php',
'common.php',
'composer.json',
'composer.lock',
'config/',
'config/default/config.yml',
# https://area51.phpbb.com/docs/dev/master/start/install.html
# you may also wish to delete the docs/ directory if you wish.
'docs/CHANGELOG.html',
'docs/INSTALL.html',
'files/',
'files/index.htm',
'images/avatars/upload/index.htm',
'includes/',
'includes/index.htm',
'phpbb/',
'phpbb/search/index.htm',
'store/',
'store/index.htm',
'store/shredder/1.xml',
'vendor/',
'vendor/symfony/process/README.md',
'vendor/twig/twig/README.rst',
'web.config',
]:
url = site + filename
status_code = s.get(url).status_code
print(filename.ljust(32), status_code, '✅' if status_code == 403 else '❌')