.htaccess

# Security Headers
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    # Header set Content-Security-Policy ...
    Header set Referrer-Policy "same-origin"
    Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
</IfModule>

# Index.php default 
RewriteEngine On
DirectoryIndex index.php

# Remove .php extension
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.] )$ $1.php [NC,L]

# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Error document handling
ErrorDocument 404 https://landon.pw/404
ErrorDocument 403 https://landon.pw/404

Options -Indexes

If I try landon.pw/a/, it will redirect to the 404. If I try landon.pw/a, it won't.

I believe the issue is because the way I am removing the php extension. When they go to /a, it is trying to serve a.php, which I guess is why it won't redirect files to the 404. I just don't know how to circumvent this problem.

CodePudding user response：

Problem is in your # Remove .php extension since it is rewriting any non-file request to an equivalent .php file without checking for existence of .php file.

You can try this code to get this working:

# Error document handling
ErrorDocument 404 https://landon.pw/404
ErrorDocument 403 https://landon.pw/404

Options -Indexes
# Index.php default 
DirectoryIndex index.php

RewriteEngine On

# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

# Remove .php extension
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(. ?)/?$ $1.php [L]

Make sure you clear your browser cache before testing this change.