├── h5bp
├── basic.conf
├── errors
│ ├── custom_errors.conf
│ └── error_prevention.conf
├── cross-origin
│ ├── web_fonts.conf
│ ├── images.conf
│ ├── resource_timing.conf
│ └── requests.conf
├── security
│ ├── server_software_information.conf
│ ├── x-content-type-options.conf
│ ├── x-powered-by.conf
│ ├── trace_method.conf
│ ├── referrer-policy.conf
│ ├── permissions-policy.conf
│ ├── x-frame-options.conf
│ ├── strict-transport-security.conf
│ ├── file_access.conf
│ ├── cross-origin-policy.conf
│ └── content-security-policy.conf
├── tls
│ ├── ssl_engine.conf
│ ├── policy_balanced.conf
│ ├── ocsp_stapling.conf
│ ├── policy_strict.conf
│ └── certificate_files.conf
├── web_performance
│ ├── no_etags.conf
│ ├── filename-based_cache_busting.conf
│ ├── file_concatenation.conf
│ ├── etags.conf
│ ├── content_transformation.conf
│ ├── pre-compressed_content_gzip.conf
│ ├── pre-compressed_content_brotli.conf
│ ├── cache-control.conf
│ ├── cache_expiration.conf
│ └── compression.conf
├── rewrites
│ ├── rewrite_http_to_https.conf
│ ├── rewrite_nowww.conf
│ ├── rewrite_www.conf
│ └── rewrite_engine.conf
└── media_types
│ ├── character_encodings.conf
│ └── media_types.conf
├── vhosts
├── .000-default.conf
├── 000-no-ssl-default.conf
└── templates
│ ├── no-ssl.example.com.conf
│ └── example.com.conf
├── LICENSE.txt
├── bin
├── htaccess.conf
└── build.sh
├── httpd.conf
├── README.md
├── CHANGELOG.md
└── dist
└── .htaccess
/h5bp/basic.conf:
--------------------------------------------------------------------------------
1 | # Apache Server Configs | MIT License
2 | # https://github.com/h5bp/server-configs-apache
3 |
4 | Include h5bp/security/referrer-policy.conf
5 | Include h5bp/security/x-content-type-options.conf
6 | Include h5bp/security/x-frame-options.conf
7 | Include h5bp/cross-origin/images.conf
8 | Include h5bp/cross-origin/web_fonts.conf
9 |
--------------------------------------------------------------------------------
/h5bp/errors/custom_errors.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Custom error messages/pages |
3 | # ----------------------------------------------------------------------
4 |
5 | # Customize what Apache returns to the client in case of an error.
6 | #
7 | # https://httpd.apache.org/docs/current/mod/core.html#errordocument
8 |
9 | ErrorDocument 404 /404.html
10 |
--------------------------------------------------------------------------------
/h5bp/cross-origin/web_fonts.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Cross-origin web fonts |
3 | # ----------------------------------------------------------------------
4 |
5 | # Allow cross-origin access to web fonts.
6 | #
7 | # https://developers.google.com/fonts/docs/troubleshooting
8 |
9 |
10 |
11 | Header set Access-Control-Allow-Origin "*"
12 |
13 |
14 |
--------------------------------------------------------------------------------
/h5bp/security/server_software_information.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Server software information |
3 | # ----------------------------------------------------------------------
4 |
5 | # Prevent Apache from adding a trailing footer line containing information
6 | # about the server to the server-generated documents (e.g.: error messages,
7 | # directory listings, etc.).
8 | #
9 | # https://httpd.apache.org/docs/current/mod/core.html#serversignature
10 |
11 | ServerSignature Off
12 |
--------------------------------------------------------------------------------
/h5bp/errors/error_prevention.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Error prevention |
3 | # ----------------------------------------------------------------------
4 |
5 | # Disable the pattern matching based on filenames.
6 | #
7 | # This setting prevents Apache from returning a 404 error as the result of a
8 | # rewrite when the directory with the same name does not exist.
9 | #
10 | # https://httpd.apache.org/docs/current/content-negotiation.html#multiviews
11 |
12 | Options -MultiViews
13 |
--------------------------------------------------------------------------------
/h5bp/tls/ssl_engine.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | SSL engine |
3 | # ----------------------------------------------------------------------
4 |
5 | # (1) Turn on the SSL engine.
6 | #
7 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslengine
8 | #
9 | # (2) Improve SSL engine security and performance.
10 | #
11 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html
12 |
13 |
14 |
15 | # (1)
16 | SSLEngine On
17 |
18 | # (2)
19 | SSLHonorCipherOrder Off
20 | SSLCompression Off
21 | SSLSessionTickets Off
22 |
23 |
24 |
--------------------------------------------------------------------------------
/h5bp/tls/policy_balanced.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | SSL policy - Balanced |
3 | # ----------------------------------------------------------------------
4 |
5 | # For services that need to support a wide range of clients, this configuration
6 | # is reasonably balanced.
7 | #
8 | # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
9 | # https://httpd.apache.org/docs/current/ssl/ssl_howto.html
10 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html
11 |
12 |
13 | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
14 | SSLCipherSuite EECDH+CHACHA20:EECDH+AES
15 |
16 |
--------------------------------------------------------------------------------
/vhosts/.000-default.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Default behavior for unknown hosts |
3 | # ----------------------------------------------------------------------
4 | #
5 | # Drop requests for unknown hosts.
6 | #
7 | # If no default server is defined, Apache will use the first found server.
8 | # To prevent host header attacks, or other potential problems when an unknown
9 | # server name is used in a request, it's recommended to use an empty virtual host
10 | # as the first loaded one.
11 |
12 |
13 | Include h5bp/tls/ssl_engine.conf
14 | Include h5bp/tls/certificate_files.conf
15 | Include h5bp/tls/policy_balanced.conf
16 |
17 |
--------------------------------------------------------------------------------
/h5bp/cross-origin/images.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Cross-origin images |
3 | # ----------------------------------------------------------------------
4 |
5 | # Send the CORS header for images when browsers request it.
6 | #
7 | # https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
8 | # https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
9 |
10 |
11 |
12 |
13 | SetEnvIf Origin ":" IS_CORS
14 | Header set Access-Control-Allow-Origin "*" env=IS_CORS
15 |
16 |
17 |
18 |
--------------------------------------------------------------------------------
/h5bp/web_performance/no_etags.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | ETags |
3 | # ----------------------------------------------------------------------
4 |
5 | # Remove `ETags` as resources are sent with far-future expires headers.
6 | #
7 | # Apache `ETags` might have an unexpected behavior if `DeflateAlterETag`
8 | # can't be changed (which is the case at `.htaccess` level).
9 | #
10 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
11 | # https://developer.yahoo.com/performance/rules.html#etags
12 | # https://tools.ietf.org/html/rfc7232#section-2.3
13 |
14 | # `FileETag None` doesn't work in all cases.
15 |
16 | Header unset ETag
17 |
18 |
19 | FileETag None
20 |
--------------------------------------------------------------------------------
/h5bp/web_performance/filename-based_cache_busting.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Filename-based cache busting |
3 | # ----------------------------------------------------------------------
4 |
5 | # If you're not using a build process to manage your filename version revving,
6 | # you might want to consider enabling the following directives.
7 | #
8 | # To understand why this is important and even a better solution than using
9 | # something like `*.css?v231`, please see:
10 | # https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
11 |
12 |
13 | RewriteEngine On
14 | RewriteCond %{REQUEST_FILENAME} !-f
15 | RewriteRule ^(.+)\.(\w+)\.(avifs?|bmp|css|cur|gif|ico|jpe?g|jxl|m?js|a?png|svgz?|webp|webmanifest)$ $1.$3 [L]
16 |
17 |
--------------------------------------------------------------------------------
/h5bp/cross-origin/resource_timing.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Cross-origin resource timing |
3 | # ----------------------------------------------------------------------
4 |
5 | # Allow cross-origin access to the timing information for all resources.
6 | #
7 | # If a resource isn't served with a `Timing-Allow-Origin` header that would
8 | # allow its timing information to be shared with the document, some of the
9 | # attributes of the `PerformanceResourceTiming` object will be set to zero.
10 | #
11 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
12 | # https://www.w3.org/TR/resource-timing/
13 | # https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
14 |
15 |
16 | Header set Timing-Allow-Origin: "*"
17 |
18 |
--------------------------------------------------------------------------------
/h5bp/tls/ocsp_stapling.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Online Certificate Status Protocol stapling |
3 | # ----------------------------------------------------------------------
4 |
5 | # OCSP is a lightweight, only one record to help clients verify the validity of
6 | # the server certificate.
7 | # OCSP stapling allows the server to send its cached OCSP record during the TLS
8 | # handshake, without the need of 3rd party OCSP responder.
9 | #
10 | # https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
11 | # https://tools.ietf.org/html/rfc6066#section-8
12 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusestapling
13 |
14 |
15 | SSLUseStapling On
16 | SSLStaplingResponderTimeout 5
17 | SSLStaplingReturnResponderErrors Off
18 | SSLStaplingCache shmcb:/var/run/ocsp(128000)
19 |
20 |
--------------------------------------------------------------------------------
/vhosts/000-no-ssl-default.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Default behavior for unknown hosts |
3 | # ----------------------------------------------------------------------
4 | #
5 | # Drop requests for unknown hosts.
6 | #
7 | # If no default server is defined, Apache will use the first found server.
8 | # To prevent host header attacks, or other potential problems when an unknown
9 | # server name is used in a request, it's recommended to use an empty virtual host
10 | # as the first loaded one.
11 | #
12 | # (1) In production, only secure hosts should be used (all `no-ssl` disabled).
13 | # If so, redirect first ANY request to a secure connection before handling
14 | # it, even if the host is unknown.
15 | #
16 | # https://observatory.mozilla.org/faq/
17 |
18 |
19 | # (1)
20 | # Include h5bp/rewrites/rewrite_http_to_https.conf
21 |
22 |
--------------------------------------------------------------------------------
/h5bp/security/x-content-type-options.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Content Type Options |
3 | # ----------------------------------------------------------------------
4 |
5 | # Prevent some browsers from MIME-sniffing the response.
6 | #
7 | # This reduces exposure to drive-by download attacks and cross-origin data
8 | # leaks, and should be left uncommented, especially if the server is serving
9 | # user-uploaded content or content that could potentially be treated as
10 | # executable by the browser.
11 | #
12 | # https://owasp.org/www-project-secure-headers/#x-content-type-options
13 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
14 | # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
15 | # https://mimesniff.spec.whatwg.org/
16 |
17 |
18 | Header always set X-Content-Type-Options "nosniff"
19 |
20 |
--------------------------------------------------------------------------------
/vhosts/templates/no-ssl.example.com.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Config file for non-secure example.com host |
3 | # ----------------------------------------------------------------------
4 | #
5 | # This file is a template for a non-secure Apache virtual host.
6 | # This virtual host server listens for the `example.com` host and handles requests.
7 | # Replace `example.com` with your hostname before enabling.
8 |
9 | # (1) Choose between www and non-www.
10 |
11 |
12 |
13 | # (1)
14 | ServerName example.com
15 | ServerAlias www.example.com
16 |
17 | # Path for static files
18 | DocumentRoot "/var/www/example.com/public"
19 |
20 | # (1)
21 | Include h5bp/rewrites/rewrite_nowww.conf
22 |
23 | # Include the basic h5bp config set
24 | Include h5bp/basic.conf
25 |
26 |
27 | Require all granted
28 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/h5bp/security/x-powered-by.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Server-side technology information |
3 | # ----------------------------------------------------------------------
4 |
5 | # Remove the `X-Powered-By` response header that:
6 | #
7 | # * is set by some frameworks and server-side languages (e.g.: ASP.NET, PHP),
8 | # and its value contains information about them (e.g.: their name, version
9 | # number)
10 | #
11 | # * doesn't provide any value to users, contributes to header bloat, and in
12 | # some cases, the information it provides can expose vulnerabilities
13 | #
14 | # (!) If you can, you should disable the `X-Powered-By` header from the
15 | # language/framework level (e.g.: for PHP, you can do that by setting
16 | # `expose_php = off` in `php.ini`).
17 | #
18 | # https://php.net/manual/en/ini.core.php#ini.expose-php
19 |
20 |
21 | Header unset X-Powered-By
22 | Header always unset X-Powered-By
23 |
24 |
--------------------------------------------------------------------------------
/h5bp/cross-origin/requests.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Cross-origin requests |
3 | # ----------------------------------------------------------------------
4 |
5 | # Allow cross-origin requests.
6 | #
7 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
8 | # https://enable-cors.org/
9 | # https://www.w3.org/TR/cors/
10 |
11 | # (!) Do not use this without understanding the consequences.
12 | # This will permit access from any other website.
13 | # Instead of using this file, consider using a specific rule such as
14 | # allowing access based on (sub)domain:
15 | #
16 | # Header set Access-Control-Allow-Origin "subdomain.example.com"
17 | #
18 | # (1) When `Access-Control-Allow-Origin` points to a specific rule rather
19 | # than `*`, then `Vary: Origin` should be sent along with the response.
20 |
21 |
22 | Header set Access-Control-Allow-Origin "*"
23 |
24 | # (1)
25 | # Header append Vary Origin
26 |
27 |
--------------------------------------------------------------------------------
/LICENSE.txt:
--------------------------------------------------------------------------------
1 | Copyright (c) H5BP
2 |
3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
4 | this software and associated documentation files (the "Software"), to deal in
5 | the Software without restriction, including without limitation the rights to
6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
7 | of the Software, and to permit persons to whom the Software is furnished to do
8 | so, subject to the following conditions:
9 |
10 | The above copyright notice and this permission notice shall be included in
11 | all copies or substantial portions of the Software.
12 |
13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
19 | SOFTWARE.
20 |
--------------------------------------------------------------------------------
/vhosts/templates/example.com.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Config file for example.com host |
3 | # ----------------------------------------------------------------------
4 | #
5 | # This file is a template for an Apache virtual host.
6 | # This virtual host listens for the `example.com` host and handles requests.
7 | # Replace `example.com` with your hostname before enabling.
8 |
9 | # (1) Choose between www and non-www.
10 |
11 |
12 |
13 | # (1)
14 | ServerName example.com
15 | ServerAlias www.example.com
16 |
17 | # Path for static files
18 | DocumentRoot "/var/www/example.com/public"
19 |
20 | Include h5bp/tls/ssl_engine.conf
21 | Include h5bp/tls/certificate_files.conf
22 | Include h5bp/tls/policy_balanced.conf
23 |
24 | # (1)
25 | Include h5bp/rewrites/rewrite_nowww.conf
26 |
27 | # Include the basic h5bp config set
28 | Include h5bp/basic.conf
29 |
30 |
31 | Require all granted
32 |
33 |
34 |
35 |
--------------------------------------------------------------------------------
/h5bp/web_performance/file_concatenation.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | File concatenation |
3 | # ----------------------------------------------------------------------
4 |
5 | # Allow concatenation from within specific files.
6 | #
7 | # If you have the following lines in a file called, for example,
8 | # `main.combined.js`:
9 | #
10 | #
11 | #
12 | #
13 | # Apache will replace those lines with the content of the specified files.
14 |
15 |
16 |
17 |
18 | Options +Includes
19 | AddOutputFilterByType INCLUDES application/javascript \
20 | application/x-javascript \
21 | text/javascript
22 | SetOutputFilter INCLUDES
23 |
24 |
25 |
26 | Options +Includes
27 | AddOutputFilterByType INCLUDES text/css
28 | SetOutputFilter INCLUDES
29 |
30 |
31 |
32 |
--------------------------------------------------------------------------------
/h5bp/rewrites/rewrite_http_to_https.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Forcing `https://` |
3 | # ----------------------------------------------------------------------
4 |
5 | # Redirect from the `http://` to the `https://` version of the URL.
6 | #
7 | # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
8 |
9 | # (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot method it
10 | # will fail to validate the certificate if validation requests are
11 | # redirected to HTTPS. Turn on the condition(s) you need.
12 | #
13 | # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
14 | # https://tools.ietf.org/html/draft-ietf-acme-acme-12
15 |
16 |
17 | RewriteEngine On
18 | RewriteCond %{HTTPS} !=on
19 | # (1)
20 | # RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/
21 | # RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[\w-]+$
22 | # RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
23 | RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
24 |
25 |
--------------------------------------------------------------------------------
/h5bp/security/trace_method.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Disable TRACE HTTP Method |
3 | # ----------------------------------------------------------------------
4 |
5 | # Prevent Apache from responding to `TRACE` HTTP request.
6 | #
7 | # The TRACE method, while seemingly harmless, can be successfully leveraged
8 | # in some scenarios to steal legitimate users' credentials.
9 | #
10 | # Modern browsers now prevent TRACE requests being made via JavaScript,
11 | # however, other ways of sending TRACE requests with browsers have been
12 | # discovered, such as using Java.
13 | #
14 | # (!) If you have access to the main server configuration file, use the
15 | # `TraceEnable` directive instead.
16 | #
17 | # https://tools.ietf.org/html/rfc7231#section-4.3.8
18 | # https://www.owasp.org/index.php/Cross_Site_Tracing
19 | # https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
20 | # https://httpd.apache.org/docs/current/mod/core.html#traceenable
21 |
22 |
23 | RewriteEngine On
24 | RewriteCond %{REQUEST_METHOD} ^TRACE [NC]
25 | RewriteRule .* - [R=405,L]
26 |
27 |
--------------------------------------------------------------------------------
/h5bp/tls/policy_strict.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | SSL policy - Strict |
3 | # ----------------------------------------------------------------------
4 |
5 | # For services that don't need backward compatibility, the parameters below
6 | # provide the highest level of security and performance.
7 | #
8 | # (!) This policy enforces a strong TLS configuration, which may raise
9 | # errors with old clients.
10 | # If a more compatible profile is required, use the "balanced" policy.
11 | #
12 | # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
13 | # and potentially vulnerable.
14 | #
15 | # Add them back to the parameter `ssl_ecdh_curve` below to support
16 | # Microsoft Edge and Safari.
17 | #
18 | # https://safecurves.cr.yp.to/
19 | #
20 | # https://github.com/mozilla/server-side-tls/issues/217
21 | # https://httpd.apache.org/docs/current/ssl/ssl_howto.html
22 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html
23 |
24 |
25 | SSLProtocol TLSv1.3
26 | SSLCipherSuite EECDH+CHACHA20:EECDH+AES
27 |
28 | # (1)
29 | SSLOpenSSLConfCmd ECDHParameters X25519
30 |
31 |
--------------------------------------------------------------------------------
/h5bp/web_performance/etags.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | ETags |
3 | # ----------------------------------------------------------------------
4 |
5 | # Enable ETags.
6 | #
7 | # (1) Don't change the ETag on a compressed response.
8 | # Default prevents serving "HTTP Not Modified" (304) responses to
9 | # conditional requests for compressed content.
10 | # https://httpd.apache.org/docs/current/mod/mod_deflate.html#deflatealteretag
11 | #
12 | # (2) `DeflateAlterETag` is not supported on version older than 2.5.
13 | # As an alternative of the previous directive, this one is used to keep
14 | # both the original ETag and the modified one when compressing responses.
15 | # https://symfony.com/doc/current/http_cache/validation.html
16 | #
17 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag
18 | # https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
19 | # https://tools.ietf.org/html/rfc7232#section-2.3
20 | # https://httpd.apache.org/docs/current/mod/core.html#fileetag
21 |
22 | FileETag MTime Size
23 |
24 | # (1)
25 | #DeflateAlterETag NoChange
26 |
27 | # (2)
28 | RequestHeader edit "If-None-Match" '^"((.*)-gzip)"$' '"$1", "$2"'
29 |
--------------------------------------------------------------------------------
/h5bp/media_types/character_encodings.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Character encodings |
3 | # ----------------------------------------------------------------------
4 |
5 | # Serve all resources labeled as `text/html` or `text/plain` with the media type
6 | # `charset` parameter set to `utf-8`.
7 | #
8 | # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
9 |
10 | AddDefaultCharset utf-8
11 |
12 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
13 |
14 | # Serve the following file types with the media type `charset` parameter set to
15 | # `utf-8`.
16 | #
17 | # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
18 |
19 |
20 | AddCharset utf-8 .appcache \
21 | .bbaw \
22 | .css \
23 | .htc \
24 | .ics \
25 | .js \
26 | .json \
27 | .manifest \
28 | .map \
29 | .markdown \
30 | .md \
31 | .mjs \
32 | .topojson \
33 | .vcard \
34 | .vcf \
35 | .vtt \
36 | .webmanifest \
37 | .xloc
38 |
39 |
--------------------------------------------------------------------------------
/h5bp/tls/certificate_files.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Certificate files |
3 | # ----------------------------------------------------------------------
4 |
5 | # (1) Turn on the SSL engine.
6 | #
7 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslengine
8 | #
9 | # (2) Certificate and key files location
10 | # The certificate file can contain an intermediate certificate.
11 | #
12 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatefile
13 | #
14 | # (3) Intermediate certificate location if loaded certificate (2) does not
15 | # contain intermediate certificate when enabling OCSP stapling.
16 | #
17 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile
18 | #
19 | # (4) CA certificate file location for client certificate authentication.
20 | #
21 | # https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcacertificatefile
22 |
23 |
24 |
25 | # (1)
26 | SSLEngine On
27 |
28 | # (2)
29 | SSLCertificateFile /usr/local/apache2/certs/default.crt
30 | SSLCertificateKeyFile /usr/local/apache2/certs/default.key
31 |
32 | # (3)
33 | # SSLCertificateChainFile /path/to/intermediate_certificate
34 |
35 | # (4)
36 | # SSLCACertificateFile /path/to/ca_certs_for_client_authentication
37 |
38 |
39 |
--------------------------------------------------------------------------------
/h5bp/security/referrer-policy.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Referrer Policy |
3 | # ----------------------------------------------------------------------
4 |
5 | # Set a strict Referrer Policy to mitigate information leakage.
6 | #
7 | # (1) The `Referrer-Policy` header is included in responses for resources
8 | # that are able to request (or navigate to) other resources.
9 | #
10 | # This includes the commonly used resource types:
11 | # HTML, CSS, XML/SVG, PDF documents, scripts and workers.
12 | #
13 | # To prevent referrer leakage entirely, specify the `no-referrer` value
14 | # instead. Note that the effect could impact analytics metrics negatively.
15 | #
16 | # To check your Referrer Policy, you can use an online service, such as:
17 | # https://securityheaders.com/
18 | # https://observatory.mozilla.org/
19 | #
20 | # https://www.w3.org/TR/referrer-policy/
21 | # https://owasp.org/www-project-secure-headers/#referrer-policy
22 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
23 | # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
24 |
25 |
26 | # (1)
27 | Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"
28 |
29 |
--------------------------------------------------------------------------------
/h5bp/rewrites/rewrite_nowww.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Suppressing the `www.` at the beginning of URLs |
3 | # ----------------------------------------------------------------------
4 |
5 | # Rewrite www.example.com → example.com
6 |
7 | # The same content should never be available under two different URLs,
8 | # especially not with and without `www.` at the beginning.
9 | # This can cause SEO problems (duplicate content), and therefore, you should
10 | # choose one of the alternatives and redirect the other one.
11 | #
12 | # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
13 |
14 | # (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
15 | # appropriate schema automatically (http or https).
16 | #
17 | # (2) The rule assumes by default that both HTTP and HTTPS environments are
18 | # available for redirection.
19 | # If your SSL certificate could not handle one of the domains used during
20 | # redirection, you should turn the condition on.
21 | #
22 | # https://github.com/h5bp/server-configs-apache/issues/52
23 |
24 |
25 |
26 | RewriteEngine On
27 |
28 | # (1)
29 | RewriteCond %{HTTPS} =on
30 | RewriteRule ^ - [E=PROTO:https]
31 | RewriteCond %{HTTPS} !=on
32 | RewriteRule ^ - [E=PROTO:http]
33 |
34 | # (2)
35 | # RewriteCond %{HTTPS} !=on
36 |
37 | RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
38 | RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
39 |
40 |
41 |
--------------------------------------------------------------------------------
/h5bp/web_performance/content_transformation.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Content transformation |
3 | # ----------------------------------------------------------------------
4 |
5 | # Prevent intermediate caches or proxies (such as those used by mobile
6 | # network providers) and browsers data-saving features from modifying
7 | # the website's content using the `no-transform` directive for
8 | # `Cache-Control` header.
9 | #
10 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
11 | # https://tools.ietf.org/html/rfc7234#section-5.2.2.4
12 | #
13 | # (!) Carefully consider the impact on your visitors before disabling
14 | # content transformation. These transformations are performed to
15 | # improve the experience for data- and cost-constrained users
16 | # (e.g. users on a 2G connection).
17 | #
18 | # You can test the effects of content transformation applied by
19 | # Google's Lite Mode by visiting: https://googleweblight.com/i?u=https://www.example.com
20 | #
21 | # https://support.google.com/webmasters/answer/6211428
22 | #
23 | # (!) If you are using `mod_pagespeed`, note that disabling this will
24 | # prevent `PageSpeed` from rewriting HTML files, and, if the
25 | # `ModPagespeedDisableRewriteOnNoTransform` directive isn't set to
26 | # `off`, also from rewriting other resources.
27 | #
28 | # https://developers.google.com/speed/pagespeed/module/configuration#notransform
29 |
30 |
31 | Header merge Cache-Control "no-transform"
32 |
33 |
--------------------------------------------------------------------------------
/h5bp/rewrites/rewrite_www.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Forcing the `www.` at the beginning of URLs |
3 | # ----------------------------------------------------------------------
4 |
5 | # Rewrite example.com → www.example.com
6 |
7 | # The same content should never be available under two different URLs,
8 | # especially not with and without `www.` at the beginning.
9 | # This can cause SEO problems (duplicate content), and therefore, you should
10 | # choose one of the alternatives and redirect the other one.
11 | #
12 | # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
13 |
14 | # (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
15 | # appropriate schema automatically (http or https).
16 | #
17 | # (2) The rule assumes by default that both HTTP and HTTPS environments are
18 | # available for redirection.
19 | # If your SSL certificate could not handle one of the domains used during
20 | # redirection, you should turn the condition on.
21 | #
22 | # https://github.com/h5bp/server-configs-apache/issues/52
23 |
24 | # Be aware that the following might not be a good idea if you use "real"
25 | # subdomains for certain parts of your website.
26 |
27 |
28 |
29 | RewriteEngine On
30 |
31 | # (1)
32 | RewriteCond %{HTTPS} =on
33 | RewriteRule ^ - [E=PROTO:https]
34 | RewriteCond %{HTTPS} !=on
35 | RewriteRule ^ - [E=PROTO:http]
36 |
37 | # (2)
38 | # RewriteCond %{HTTPS} !=on
39 |
40 | RewriteCond %{HTTP_HOST} !^www\. [NC]
41 | RewriteCond %{SERVER_ADDR} !=127.0.0.1
42 | RewriteCond %{SERVER_ADDR} !=::1
43 | RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
44 |
45 |
46 |
--------------------------------------------------------------------------------
/h5bp/rewrites/rewrite_engine.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Rewrite engine |
3 | # ----------------------------------------------------------------------
4 |
5 | # (1) Turn on the rewrite engine (this is necessary in order for the
6 | # `RewriteRule` directives to work).
7 | #
8 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
9 | #
10 | # (2) Enable the `FollowSymLinks` option if it isn't already.
11 | #
12 | # https://httpd.apache.org/docs/current/mod/core.html#options
13 | #
14 | # (3) If your web host doesn't allow the `FollowSymlinks` option, you need to
15 | # comment it out or remove it, and then uncomment the
16 | # `Options +SymLinksIfOwnerMatch` line (4), but be aware of the performance
17 | # impact.
18 | #
19 | # https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
20 | #
21 | # (4) Some cloud hosting services will require you set `RewriteBase`.
22 | #
23 | # https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
24 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
25 | #
26 | # (5) Depending on how your server is set up, you may also need to use the
27 | # `RewriteOptions` directive to enable some options for the rewrite engine.
28 | #
29 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
30 |
31 |
32 |
33 | # (1)
34 | RewriteEngine On
35 |
36 | # (2)
37 | Options +FollowSymlinks
38 |
39 | # (3)
40 | # Options +SymLinksIfOwnerMatch
41 |
42 | # (4)
43 | # RewriteBase /
44 |
45 | # (5)
46 | # RewriteOptions
47 |
48 |
49 |
--------------------------------------------------------------------------------
/h5bp/security/permissions-policy.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Permissions Policy |
3 | # ----------------------------------------------------------------------
4 |
5 | # Set a strict Permissions Policy to mitigate access to browser features.
6 | #
7 | # The header uses a structured syntax, and allows sites to more tightly
8 | # restrict which origins can be granted access to features.
9 | # The list of available features: https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
10 | #
11 | # The example policy below aims to disable all features expect synchronous
12 | # `XMLHttpRequest` requests on the same origin.
13 | #
14 | # To check your Permissions Policy, you can use an online service, such as:
15 | # https://securityheaders.com/
16 | # https://observatory.mozilla.org/
17 | #
18 | # https://www.w3.org/TR/permissions-policy-1/
19 | # https://owasp.org/www-project-secure-headers/#permissions-policy
20 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
21 | # https://scotthelme.co.uk/a-new-security-header-feature-policy/
22 |
23 |
24 | Header always set Permissions-Policy "\
25 | accelerometer=(),\
26 | autoplay=(),\
27 | browsing-topics=(),\
28 | camera=(),\
29 | display-capture=(),\
30 | document-domain=(),\
31 | encrypted-media=(),\
32 | fullscreen=(),\
33 | geolocation=(),\
34 | gyroscope=(),\
35 | magnetometer=(),\
36 | microphone=(),\
37 | midi=(),\
38 | payment=(),\
39 | picture-in-picture=(),\
40 | publickey-credentials-get=(),\
41 | screen-wake-lock=(),\
42 | sync-xhr=(self),\
43 | usb=(),\
44 | web-share=(),\
45 | xr-spatial-tracking=()\
46 | " "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
47 |
48 |
--------------------------------------------------------------------------------
/h5bp/security/x-frame-options.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Frame Options |
3 | # ----------------------------------------------------------------------
4 |
5 | # Protect website against clickjacking.
6 | #
7 | # The example below sends the `X-Frame-Options` response header with the value
8 | # `DENY`, informing browsers not to display the content of the web page in any
9 | # frame.
10 | #
11 | # This might not be the best setting for everyone. You should read about the
12 | # other two possible values the `X-Frame-Options` header field can have:
13 | # `SAMEORIGIN` and `ALLOW-FROM`.
14 | # https://tools.ietf.org/html/rfc7034#section-2.1.
15 | #
16 | # Keep in mind that while you could send the `X-Frame-Options` header for all
17 | # of your website's pages, this has the potential downside that it forbids even
18 | # non-malicious framing of your content.
19 | #
20 | # Nonetheless, you should ensure that you send the `X-Frame-Options` header for
21 | # all pages that allow a user to make a state-changing operation (e.g: pages
22 | # that contain one-click purchase links, checkout or bank-transfer confirmation
23 | # pages, pages that make permanent configuration changes, etc.).
24 | #
25 | # Sending the `X-Frame-Options` header can also protect your website against
26 | # more than just clickjacking attacks.
27 | # https://cure53.de/xfo-clickjacking.pdf.
28 | #
29 | # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
30 | # which obsoletes this header for supporting browsers.
31 | #
32 | # https://tools.ietf.org/html/rfc7034
33 | # https://owasp.org/www-project-secure-headers/#x-frame-options
34 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
35 | # https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options
36 |
37 |
38 | Header always set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
39 |
40 |
--------------------------------------------------------------------------------
/h5bp/security/strict-transport-security.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | HTTP Strict Transport Security (HSTS) |
3 | # ----------------------------------------------------------------------
4 |
5 | # Force client-side TLS (Transport Layer Security) redirection.
6 | #
7 | # If a user types `example.com` in their browser, even if the server redirects
8 | # them to the secure version of the website, that still leaves a window of
9 | # opportunity (the initial HTTP connection) for an attacker to downgrade or
10 | # redirect the request.
11 | #
12 | # The following header ensures that a browser only connects to your server
13 | # via HTTPS, regardless of what the users type in the browser's address bar.
14 | #
15 | # (!) Be aware that Strict Transport Security is not revokable and you
16 | # must ensure being able to serve the site over HTTPS for the duration
17 | # you've specified in the `max-age` directive. When you don't have a
18 | # valid TLS connection anymore (e.g. due to an expired TLS certificate)
19 | # your visitors will see a nasty error message even when attempting to
20 | # connect over HTTP.
21 | #
22 | # (1) Preloading Strict Transport Security.
23 | # To submit your site for HSTS preloading, it is required that:
24 | # * the `includeSubDomains` directive is specified
25 | # * the `preload` directive is specified
26 | # * the `max-age` is specified with a value of at least 31536000 seconds
27 | # (1 year).
28 | # https://hstspreload.org/#deployment-recommendations
29 | #
30 | # https://tools.ietf.org/html/rfc6797#section-6.1
31 | # https://owasp.org/www-project-secure-headers/#http-strict-transport-security
32 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
33 | # https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
34 | # https://hstspreload.org/
35 |
36 |
37 | Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" "expr=%{HTTPS} == 'on'"
38 | # (1) Enable your site for HSTS preload inclusion.
39 | # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
40 |
41 |
--------------------------------------------------------------------------------
/h5bp/security/file_access.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | File access |
3 | # ----------------------------------------------------------------------
4 |
5 | # Block access to directories without a default document.
6 | #
7 | # You should leave the following uncommented, as you shouldn't allow anyone to
8 | # surf through every directory on your server (which may include rather
9 | # private places such as the CMS's directories).
10 |
11 | Options -Indexes
12 |
13 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14 |
15 | # Block access to all hidden files and directories except for the
16 | # visible content from within the `/.well-known/` hidden directory.
17 | #
18 | # These types of files usually contain user preferences or the preserved state
19 | # of a utility, and can include rather private places like, for example, the
20 | # `.git` or `.svn` directories.
21 | #
22 | # The `/.well-known/` directory represents the standard (RFC 5785) path prefix
23 | # for "well-known locations" (e.g.: `/.well-known/manifest.json`,
24 | # `/.well-known/keybase.txt`), and therefore, access to its visible content
25 | # should not be blocked.
26 | #
27 | # https://www.mnot.net/blog/2010/04/07/well-known
28 | # https://tools.ietf.org/html/rfc5785
29 |
30 |
31 | RewriteEngine On
32 | RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
33 | RewriteCond %{SCRIPT_FILENAME} -d [OR]
34 | RewriteCond %{SCRIPT_FILENAME} -f
35 | RewriteRule "(^|/)\." - [F]
36 |
37 |
38 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
39 |
40 | # Block access to files that can expose sensitive information.
41 | #
42 | # By default, block access to backup and source files that may be left by some
43 | # text editors and can pose a security risk when anyone has access to them.
44 | #
45 | # https://feross.org/cmsploit/
46 | #
47 | # (!) Update the `` regular expression from below to include any
48 | # files that might end up on your production server and can expose
49 | # sensitive information about your website. These files may include:
50 | # configuration files, files that contain metadata about the project (e.g.:
51 | # project dependencies, build scripts, etc.).
52 |
53 |
54 |
55 | Require all denied
56 |
57 |
58 |
--------------------------------------------------------------------------------
/h5bp/security/cross-origin-policy.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Cross Origin Policy |
3 | # ----------------------------------------------------------------------
4 |
5 | # Set strict a Cross Origin Policy to mitigate information leakage.
6 | #
7 | # (1) Cross-Origin-Embedder-Policy prevents a document from loading any
8 | # cross-origin resources that don’t explicitly grant the document
9 | # permission.
10 | # https://html.spec.whatwg.org/multipage/origin.html#coep
11 | # https://owasp.org/www-project-secure-headers/#cross-origin-embedder-policy
12 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
13 | #
14 | # (2) Cross-Origin-Opener-Policy allows you to ensure a top-level document does
15 | # not share a browsing context group with cross-origin documents.
16 | # https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies
17 | # https://owasp.org/www-project-secure-headers/#cross-origin-opener-policy
18 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
19 | #
20 | # (3) Cross-Origin-Resource-Policy allows to define a policy that lets web
21 | # sites and applications opt in to protection against certain requests from
22 | # other origins, to mitigate speculative side-channel attacks.
23 | # https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
24 | # https://owasp.org/www-project-secure-headers/#cross-origin-resource-policy
25 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
26 | # https://resourcepolicy.fyi/
27 | #
28 | # To check your Cross Origin Policy, you can use an online service, such as:
29 | # https://securityheaders.com/
30 | # https://observatory.mozilla.org/
31 | #
32 | # https://web.dev/coop-coep/
33 | # https://web.dev/why-coop-coep/
34 | # https://web.dev/cross-origin-isolation-guide/
35 | # https://scotthelme.co.uk/coop-and-coep/
36 |
37 |
38 | # (1)
39 | Header always set Cross-Origin-Embedder-Policy "require-corp" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
40 |
41 | # (2)
42 | Header always set Cross-Origin-Opener-Policy "same-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
43 |
44 | # (3)
45 | Header always set Cross-Origin-Resource-Policy "same-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
46 |
47 |
--------------------------------------------------------------------------------
/h5bp/web_performance/pre-compressed_content_gzip.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | GZip pre-compressed content |
3 | # ----------------------------------------------------------------------
4 |
5 | # Serve gzip compressed CSS, JS, HTML, SVG, ICS, and JSON files if they exist
6 | # and if the client accepts gzip encoding.
7 | #
8 | # (!) To make this part relevant, you need to generate encoded files by your
9 | # own. Enabling this part will not auto-generate gziped files.
10 | #
11 | # (!) In special case of serving pre-compressed content only, note that
12 | # `DirectoryIndex` directive adjustments could be required to change
13 | # default resources priorities.
14 | # https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex
15 | #
16 | # (1) In a virtual host context, `REQUEST_FILENAME` may be equal to
17 | # `REQUEST_URI` while URL translation to file path is still pending.
18 | # In that case, enabling the look-ahead flag on `RewriteCond` (`LA-U`)
19 | # will extract URI last segment to work around a file path resolution.
20 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond
21 | #
22 | # (2) Removing default MIME Type for .gz files allowing to add custom
23 | # sub-types.
24 | # You may prefer using less generic extensions such as .html_gz in order to
25 | # keep the default behavior regarding .gz files.
26 | # https://httpd.apache.org/docs/current/mod/mod_mime.html#removetype
27 | #
28 | # https://httpd.apache.org/docs/current/mod/mod_deflate.html#precompressed
29 |
30 |
31 |
32 | RewriteCond %{HTTP:Accept-Encoding} gzip
33 | # (1)
34 | RewriteCond %{REQUEST_FILENAME}\.gz -f
35 | # RewriteCond %{LA-U:REQUEST_FILENAME}\.gz -f
36 | RewriteRule \.(css|ics|js|json|html|svg)$ %{REQUEST_URI}.gz [L]
37 |
38 | # Prevent mod_deflate double gzip
39 | RewriteRule \.gz$ - [E=no-gzip:1]
40 |
41 |
42 |
43 |
44 | # (2)
45 | RemoveType gz
46 |
47 | # Serve correct content types
48 | AddType text/css css.gz
49 | AddType text/calendar ics.gz
50 | AddType text/javascript js.gz
51 | AddType application/json json.gz
52 | AddType text/html html.gz
53 | AddType image/svg+xml svg.gz
54 |
55 | # Serve correct content charset
56 | AddCharset utf-8 .css.gz \
57 | .ics.gz \
58 | .js.gz \
59 | .json.gz
60 |
61 |
62 |
63 | # Force proxies to cache gzipped and non-gzipped files separately
64 | Header append Vary Accept-Encoding
65 |
66 |
67 |
68 |
69 |
70 | # Serve correct encoding type
71 | AddEncoding gzip .gz
72 |
73 |
74 |
75 |
--------------------------------------------------------------------------------
/h5bp/web_performance/pre-compressed_content_brotli.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Brotli pre-compressed content |
3 | # ----------------------------------------------------------------------
4 |
5 | # Serve brotli compressed CSS, JS, HTML, SVG, ICS and JSON files if they exist
6 | # and if the client accepts br encoding.
7 | #
8 | # (!) To make this part relevant, you need to generate encoded files by your
9 | # own. Enabling this part will not auto-generate brotlied files.
10 | #
11 | # (!) In special case of serving pre-compressed content only, note that
12 | # `DirectoryIndex` directive adjustments could be required to change
13 | # default resources priorities.
14 | # https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex
15 | #
16 | # (1) In a virtual host context, `REQUEST_FILENAME` may be equal to
17 | # `REQUEST_URI` while URL translation to file path is still pending.
18 | # In that case, enabling the look-ahead flag on `RewriteCond` (`LA-U`)
19 | # will extract URI last segment to work around a file path resolution.
20 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritecond
21 | #
22 | # (2) Remove default Content-Language header added for .br files.
23 | # https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext
24 | #
25 | # Note that some clients (e.g. browsers) require a secure connection to request
26 | # brotli-compressed resources.
27 | # https://www.chromestatus.com/feature/5420797577396224
28 | #
29 | # https://httpd.apache.org/docs/current/mod/mod_brotli.html#precompressed
30 |
31 |
32 |
33 | RewriteCond %{HTTP:Accept-Encoding} br
34 | # (1)
35 | RewriteCond %{REQUEST_FILENAME}\.br -f
36 | # RewriteCond %{LA-U:REQUEST_FILENAME}\.br -f
37 | RewriteRule \.(css|ics|js|json|html|svg)$ %{REQUEST_URI}.br [L]
38 |
39 | # Prevent mod_deflate double gzip
40 | RewriteRule \.br$ - [E=no-gzip:1]
41 |
42 |
43 |
44 |
45 | # (2)
46 | RemoveLanguage .br
47 |
48 | # Serve correct content types
49 | AddType text/css css.br
50 | AddType text/calendar ics.br
51 | AddType text/javascript js.br
52 | AddType application/json json.br
53 | AddType text/html html.br
54 | AddType image/svg+xml svg.br
55 |
56 | # Serve correct content charset
57 | AddCharset utf-8 .css.br \
58 | .ics.br \
59 | .js.br \
60 | .json.br
61 |
62 |
63 |
64 | # Force proxies to cache brotlied and non-brotlied files separately
65 | Header append Vary Accept-Encoding
66 |
67 |
68 |
69 |
70 |
71 | # Serve correct encoding type
72 | AddEncoding br .br
73 |
74 |
75 |
76 |
--------------------------------------------------------------------------------
/h5bp/web_performance/cache-control.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Cache Control |
3 | # ----------------------------------------------------------------------
4 |
5 | # Serve resources with appropriate cache control directives.
6 | #
7 | # The `Cache-Control` header field holds directives (instructions) that control
8 | # caching in browsers and shared caches (e.g. Proxies, CDNs).
9 | # Its use targets web performances improvement by specifying the expected
10 | # client and network caches behaviors.
11 | #
12 | # The usable cache directives are listed here:
13 | # https://www.iana.org/assignments/http-cache-directives/http-cache-directives.xml
14 | #
15 | # The cache directives are documented here:
16 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#response_directives
17 | #
18 | # (!) Enable and configure this configuration with care.
19 | # Default values should embrace conformance for static files and simple
20 | # apps, but cache control definition at backend level is highly preferred.
21 | # Incorrect directives can lead to data leaks, or can degrade performances.
22 | #
23 | # More specifically, in-depth understanding on `public` vs `private`
24 | # directives meanings is highly recommended. A resource with `public` will
25 | # be cached by shared caches like CDN, even if a user session is active.
26 | #
27 | # (!) The config directive `Header` must be used with the appropriate action.
28 | # Depending on the need, `merge` keeps the current value, if any, of
29 | # `Cache-Control` header, while `set` reset the value including the one
30 | # added by `ExpiresByType` directive in the cache expiration config file
31 | # h5bp/web_performance/cache_expiration.conf.
32 | # https://httpd.apache.org/docs/current/mod/mod_headers.html#header
33 | #
34 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
35 | # https://www.rfc-editor.org/rfc/rfc9111.html
36 | # https://www.rfc-editor.org/rfc/rfc8246.html
37 | # https://www.rfc-editor.org/rfc/rfc5861.html
38 | # https://www.iana.org/assignments/http-cache-directives/http-cache-directives.xml
39 | # https://cache-tests.fyi/
40 |
41 |
42 |
43 | # Default
44 | Header merge Cache-Control "public, immutable, stale-while-revalidate" "expr=%{resp:Cache-Control} == 'max-age=31536000'"
45 |
46 | # No content
47 | Header merge Cache-Control "no-store" "expr=-z %{CONTENT_TYPE}"
48 |
49 | # Manifest files
50 | Header merge Cache-Control "public" "expr=%{CONTENT_TYPE} =~ m#application/manifest\+json#i"
51 | Header set Cache-Control "no-cache" "expr=%{CONTENT_TYPE} =~ m#text/cache-manifest#i"
52 |
53 | # Assets
54 | Header merge Cache-Control "public, immutable, stale-while-revalidate" "expr=%{CONTENT_TYPE} =~ m#image/x-icon#i"
55 |
56 | # Data interchange
57 | Header merge Cache-Control "public, stale-while-revalidate" "expr=%{CONTENT_TYPE} =~ m#application/(atom|rdf|rss)\+xml#i"
58 |
59 | # Documents
60 | Header set Cache-Control "no-cache, private, must-revalidate" "expr=%{CONTENT_TYPE} =~ m#text/(html|markdown|calendar)#i"
61 |
62 | # Data
63 | Header set Cache-Control "no-cache" "expr=%{CONTENT_TYPE} =~ m#json|xml#i && %{CONTENT_TYPE} !~ m#/(atom|rdf|rss|manifest|svg)\+#i"
64 |
65 |
66 |
--------------------------------------------------------------------------------
/bin/htaccess.conf:
--------------------------------------------------------------------------------
1 | # htaccess.conf
2 | #
3 | # This file defines which .htaccess module partials
4 | # are enabled or disabled.
5 | #
6 | # Each entry consists of a "keyword" and "filename",
7 | # separated by at least one space character.
8 | #
9 | # - keyword: one of "title", "enable", "disable", or "omit".
10 | # - filename: may be quoted if the filename has spaces.
11 | #
12 | # Example:
13 | #
14 | # title "cross-origin"
15 | # enable "path/to/a.conf"
16 | # disable "path/to/b.conf"
17 | # omit "path/to/not-needed.conf"
18 | #
19 | # Special keyword "no-partials-comments" can be included to
20 | # prevent the comments in the input partials from being copied
21 | # into the output .htaccess file.
22 | #
23 | # This keyword:
24 | # - does not override "title" and "disable" keywords. Comments
25 | # arising from these keywords will appear in the output.
26 | # - can build a streamlined "for production" .htaccess file.
27 |
28 |
29 | # ----------------------------------------------------------------------
30 | # | Comment control |
31 | # ----------------------------------------------------------------------
32 |
33 | # no-partials-comments
34 |
35 |
36 | # ----------------------------------------------------------------------
37 | # | Partials definitions |
38 | # ----------------------------------------------------------------------
39 |
40 |
41 | # Module "cross-origin"
42 |
43 | title "cross-origin"
44 | disable "h5bp/cross-origin/requests.conf"
45 | enable "h5bp/cross-origin/images.conf"
46 | enable "h5bp/cross-origin/web_fonts.conf"
47 | disable "h5bp/cross-origin/resource_timing.conf"
48 |
49 |
50 |
51 | # Module "errors"
52 |
53 | title "errors"
54 | disable "h5bp/errors/custom_errors.conf"
55 | enable "h5bp/errors/error_prevention.conf"
56 |
57 |
58 |
59 | # Module "media types and character encodings"
60 |
61 | title "media types and character encodings"
62 | enable "h5bp/media_types/media_types.conf"
63 | enable "h5bp/media_types/character_encodings.conf"
64 |
65 |
66 |
67 | # Module "rewrites"
68 |
69 | title "rewrites"
70 | enable "h5bp/rewrites/rewrite_engine.conf"
71 | disable "h5bp/rewrites/rewrite_http_to_https.conf"
72 | enable "h5bp/rewrites/rewrite_nowww.conf"
73 | disable "h5bp/rewrites/rewrite_www.conf"
74 |
75 |
76 |
77 | # Module "security"
78 |
79 | title "security"
80 | disable "h5bp/security/x-frame-options.conf"
81 | disable "h5bp/security/content-security-policy.conf"
82 | enable "h5bp/security/file_access.conf"
83 | disable "h5bp/security/strict-transport-security.conf"
84 | enable "h5bp/security/x-content-type-options.conf"
85 | disable "h5bp/security/referrer-policy.conf"
86 | disable "h5bp/security/cross-origin-policy.conf"
87 | disable "h5bp/security/permissions-policy.conf"
88 | disable "h5bp/security/trace_method.conf"
89 | enable "h5bp/security/x-powered-by.conf"
90 | enable "h5bp/security/server_software_information.conf"
91 |
92 |
93 |
94 | # Module "web performance"
95 |
96 | title "web performance"
97 | enable "h5bp/web_performance/compression.conf"
98 | disable "h5bp/web_performance/pre-compressed_content_brotli.conf"
99 | disable "h5bp/web_performance/pre-compressed_content_gzip.conf"
100 | enable "h5bp/web_performance/no_etags.conf"
101 | enable "h5bp/web_performance/cache_expiration.conf"
102 | disable "h5bp/web_performance/cache-control.conf"
103 | disable "h5bp/web_performance/content_transformation.conf"
104 | disable "h5bp/web_performance/file_concatenation.conf"
105 | disable "h5bp/web_performance/filename-based_cache_busting.conf"
106 |
--------------------------------------------------------------------------------
/h5bp/web_performance/cache_expiration.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Cache expiration |
3 | # ----------------------------------------------------------------------
4 |
5 | # Serve resources with a far-future expiration date.
6 | #
7 | # (!) If you don't control versioning with filename-based cache busting, you
8 | # should consider lowering the cache times to something like one week.
9 | #
10 | # (!) When using `.htaccess` file, the webserver config may have already
11 | # a preset some file types.
12 | # In that case, the general rule with `ExpiresDefault` might not be applied.
13 | # In order to override any presets, uncomment the appropriate "Generic"
14 | # lines below.
15 | # Online checker or validators can help investigating the served cache policy.
16 | #
17 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
18 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
19 | # https://httpd.apache.org/docs/current/mod/mod_expires.html
20 |
21 |
22 |
23 | ExpiresActive on
24 |
25 | # Default: Fallback
26 | ExpiresDefault "access plus 1 year"
27 |
28 | # Specific: Assets
29 | ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
30 | ExpiresByType image/x-icon "access plus 1 week"
31 |
32 | # Specific: Manifests
33 | ExpiresByType application/manifest+json "access plus 1 week"
34 | ExpiresByType application/x-web-app-manifest+json "access"
35 | ExpiresByType text/cache-manifest "access"
36 |
37 | # Specific: Data interchange
38 | ExpiresByType application/atom+xml "access plus 1 hour"
39 | ExpiresByType application/rdf+xml "access plus 1 hour"
40 | ExpiresByType application/rss+xml "access plus 1 hour"
41 |
42 | # Specific: Documents
43 | ExpiresByType text/html "access"
44 | ExpiresByType text/markdown "access"
45 | ExpiresByType text/calendar "access"
46 |
47 | # Specific: Other
48 | ExpiresByType text/x-cross-domain-policy "access plus 1 week"
49 |
50 | # Generic: Data
51 | ExpiresByType application/json "access"
52 | ExpiresByType application/ld+json "access"
53 | ExpiresByType application/schema+json "access"
54 | ExpiresByType application/geo+json "access"
55 | ExpiresByType application/xml "access"
56 | ExpiresByType text/xml "access"
57 |
58 | # Generic: WebAssembly
59 | # ExpiresByType application/wasm "access plus 1 year" # default
60 |
61 | # Generic: Assets
62 | # ExpiresByType application/javascript "access plus 1 year" # default
63 | # ExpiresByType application/x-javascript "access plus 1 year" # default
64 | # ExpiresByType text/javascript "access plus 1 year" # default
65 | # ExpiresByType text/css "access plus 1 year" # default
66 |
67 | # Generic: Medias
68 | # ExpiresByType audio/* "access plus 1 year" # default
69 | # ExpiresByType image/* "access plus 1 year" # default
70 | # ExpiresByType video/* "access plus 1 year" # default
71 | # ExpiresByType font/* "access plus 1 year" # default
72 |
73 |
74 |
--------------------------------------------------------------------------------
/h5bp/media_types/media_types.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Media types |
3 | # ----------------------------------------------------------------------
4 |
5 | # Serve resources with the proper media types (f.k.a. MIME types).
6 | #
7 | # https://www.iana.org/assignments/media-types/media-types.xhtml
8 | # https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
9 |
10 |
11 |
12 | # Data interchange
13 |
14 | AddType application/atom+xml atom
15 | AddType application/json json map topojson
16 | AddType application/ld+json jsonld
17 | AddType application/rss+xml rss
18 | AddType application/geo+json geojson
19 | AddType application/rdf+xml rdf
20 | AddType application/xml xml
21 |
22 |
23 | # JavaScript
24 |
25 | # Servers should use text/javascript for JavaScript resources.
26 | # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
27 |
28 | AddType text/javascript js mjs
29 |
30 |
31 | # Manifest files
32 |
33 | AddType application/manifest+json webmanifest
34 | AddType application/x-web-app-manifest+json webapp
35 | AddType text/cache-manifest appcache
36 |
37 |
38 | # Media files
39 |
40 | AddType audio/mp4 f4a f4b m4a
41 | AddType audio/ogg oga ogg opus
42 | AddType image/avif avif avifs
43 | AddType image/bmp bmp
44 | AddType image/jxl jxl
45 | AddType image/svg+xml svg svgz
46 | AddType image/webp webp
47 | AddType video/mp4 f4v f4p m4v mp4
48 | AddType video/ogg ogv
49 | AddType video/webm webm
50 | AddType video/x-flv flv
51 |
52 | # Serving `.ico` image files with a different media type prevents
53 | # Internet Explorer from displaying them as images:
54 | # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
55 |
56 | AddType image/x-icon cur ico
57 |
58 |
59 | # WebAssembly
60 |
61 | AddType application/wasm wasm
62 |
63 |
64 | # Web fonts
65 |
66 | AddType font/woff woff
67 | AddType font/woff2 woff2
68 | AddType application/vnd.ms-fontobject eot
69 | AddType font/ttf ttf
70 | AddType font/collection ttc
71 | AddType font/otf otf
72 |
73 |
74 | # Other
75 |
76 | AddType application/octet-stream safariextz
77 | AddType application/x-bb-appworld bbaw
78 | AddType application/x-chrome-extension crx
79 | AddType application/x-opera-extension oex
80 | AddType application/x-xpinstall xpi
81 | AddType text/calendar ics
82 | AddType text/markdown markdown md
83 | AddType text/vcard vcard vcf
84 | AddType text/vnd.rim.location.xloc xloc
85 | AddType text/vtt vtt
86 | AddType text/x-component htc
87 |
88 |
89 |
--------------------------------------------------------------------------------
/h5bp/web_performance/compression.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Compression |
3 | # ----------------------------------------------------------------------
4 |
5 |
6 |
7 | # Force compression for mangled `Accept-Encoding` request headers
8 | #
9 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding
10 | # https://calendar.perfplanet.com/2010/pushing-beyond-gzipping/
11 |
12 |
13 |
14 | SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
15 | RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
16 |
17 |
18 |
19 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
20 |
21 | # Compress all output labeled with one of the following media types.
22 | #
23 | # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
24 |
25 |
26 | AddOutputFilterByType DEFLATE "application/atom+xml" \
27 | "application/javascript" \
28 | "application/json" \
29 | "application/ld+json" \
30 | "application/manifest+json" \
31 | "application/rdf+xml" \
32 | "application/rss+xml" \
33 | "application/schema+json" \
34 | "application/geo+json" \
35 | "application/vnd.ms-fontobject" \
36 | "application/wasm" \
37 | "application/x-font-ttf" \
38 | "application/x-javascript" \
39 | "application/x-web-app-manifest+json" \
40 | "application/xhtml+xml" \
41 | "application/xml" \
42 | "font/eot" \
43 | "font/opentype" \
44 | "font/otf" \
45 | "font/ttf" \
46 | "image/bmp" \
47 | "image/svg+xml" \
48 | "image/vnd.microsoft.icon" \
49 | "image/x-icon" \
50 | "text/cache-manifest" \
51 | "text/calendar" \
52 | "text/css" \
53 | "text/html" \
54 | "text/javascript" \
55 | "text/plain" \
56 | "text/markdown" \
57 | "text/vcard" \
58 | "text/vnd.rim.location.xloc" \
59 | "text/vtt" \
60 | "text/x-component" \
61 | "text/x-cross-domain-policy" \
62 | "text/xml"
63 |
64 |
65 |
66 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
67 |
68 | # Map the following filename extensions to the specified encoding type in
69 | # order to make Apache serve the file types with the appropriate
70 | # `Content-Encoding` response header (do note that this will NOT make
71 | # Apache compress them!).
72 | #
73 | # If these files types would be served without an appropriate
74 | # `Content-Encoding` response header, client applications (e.g.: browsers)
75 | # wouldn't know that they first need to uncompress the response, and thus,
76 | # wouldn't be able to understand the content.
77 | #
78 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
79 | # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
80 |
81 |
82 | AddEncoding gzip svgz
83 |
84 |
85 |
86 |
--------------------------------------------------------------------------------
/h5bp/security/content-security-policy.conf:
--------------------------------------------------------------------------------
1 | # ----------------------------------------------------------------------
2 | # | Content Security Policy (CSP) |
3 | # ----------------------------------------------------------------------
4 |
5 | # Mitigate the risk of cross-site scripting and other content-injection
6 | # attacks.
7 | #
8 | # This can be done by setting a Content Security Policy which permits
9 | # trusted sources of content for your website.
10 | #
11 | # There is no policy that fits all websites, you will have to modify the
12 | # `Content-Security-Policy` directives in the example depending on your needs.
13 | #
14 | # (*) The example policy below aims to:
15 | #
16 | # - Restrict all fetches by default to the origin of the current website by
17 | # setting the `default-src` directive to `'self'` - which acts as a
18 | # fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive).
19 | #
20 | # This is convenient as you do not have to specify all Fetch directives
21 | # that apply to your site, for example:
22 | # `connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'`, etc.
23 | #
24 | # This restriction also means that you must explicitly define from which
25 | # site(s) your website is allowed to load resources from.
26 | #
27 | # - The `` element is not allowed on the website. This is to prevent
28 | # attackers from changing the locations of resources loaded from relative
29 | # URLs.
30 | #
31 | # If you want to use the `` element, then `base-uri 'self'` can be
32 | # used instead.
33 | #
34 | # - Form submissions are only allowed from the current website by setting:
35 | # `form-action 'self'`.
36 | #
37 | # - Prevents all websites (including your own) from embedding your webpages
38 | # within e.g. the `