├── CHANGELOG.md ├── LICENSE.txt ├── README.md ├── bin ├── build.sh └── htaccess.conf ├── dist └── .htaccess ├── h5bp ├── basic.conf ├── cross-origin │ ├── images.conf │ ├── requests.conf │ ├── resource_timing.conf │ └── web_fonts.conf ├── errors │ ├── custom_errors.conf │ └── error_prevention.conf ├── media_types │ ├── character_encodings.conf │ └── media_types.conf ├── rewrites │ ├── rewrite_engine.conf │ ├── rewrite_http_to_https.conf │ ├── rewrite_nowww.conf │ └── rewrite_www.conf ├── security │ ├── content-security-policy.conf │ ├── cross-origin-policy.conf │ ├── file_access.conf │ ├── permissions-policy.conf │ ├── referrer-policy.conf │ ├── server_software_information.conf │ ├── strict-transport-security.conf │ ├── trace_method.conf │ ├── x-content-type-options.conf │ ├── x-frame-options.conf │ └── x-powered-by.conf ├── tls │ ├── certificate_files.conf │ ├── ocsp_stapling.conf │ ├── policy_balanced.conf │ ├── policy_strict.conf │ └── ssl_engine.conf └── web_performance │ ├── cache-control.conf │ ├── cache_expiration.conf │ ├── compression.conf │ ├── content_transformation.conf │ ├── etags.conf │ ├── file_concatenation.conf │ ├── filename-based_cache_busting.conf │ ├── no_etags.conf │ ├── pre-compressed_content_brotli.conf │ └── pre-compressed_content_gzip.conf ├── httpd.conf └── vhosts ├── .000-default.conf ├── 000-no-ssl-default.conf └── templates ├── example.com.conf └── no-ssl.example.com.conf /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ### 6.0.0 (December 5, 2022) 2 | 3 | * 🎉 Significant improvement on `Cache-Control` definition and usage 4 | * `Cache-Control` boilerplate with extensive control 5 | [https://github.com/h5bp/server-configs-apache/pull/325] 6 | * Reorder and improve cache expiration `ExpiresByType` map 7 | [https://github.com/h5bp/server-configs-apache/pull/326] 8 | * Add a notice for directory index with pre-compressed content 9 | [https://github.com/h5bp/server-configs-apache/pull/311] 10 | * Drop `image/avif-sequence` MIME type 11 | [https://github.com/h5bp/server-configs-apache/pull/316] 12 | * Improve inline comments. 13 | 14 | ### 5.1.0 (May 9, 2022) 15 | 16 | * Extend default, media and font cache TTL to 1 year 17 | [[5df6946](https://github.com/h5bp/server-configs-apache/commit/5df69464885605ded1f4b0ef04cb84f1b8bd8010)] 18 | * Support `ETags` at server level 19 | [[7956cbc](https://github.com/h5bp/server-configs-apache/commit/7956cbcecd33c20f13357284f3f355c658755115)] 20 | * Add `image/x-icon` compression support 21 | [[69ddeda](https://github.com/h5bp/server-configs-apache/commit/69ddeda3781762eb2aba8b5152f2e9d2fa56c90a)] 22 | * Improve module checks validations 23 | [[cb8ef1b](https://github.com/h5bp/server-configs-apache/commit/cb8ef1be06a93d43db6dc525005e2638b8ef687b])] 24 | * Improve inline comments. 25 | 26 | ### 5.0.0 (July 31, 2021) 27 | 28 | * ⚠️ **Breaking**: End of support for Internet Explorer (`X-UA-Compatible` and `X-XSS-Protection` headers) 29 | [[d1fb502](https://github.com/h5bp/server-configs-apache/commit/d1fb50202c36f01e4f2d4b43356eb816ffa9e222)] 30 | [[22014cb](https://github.com/h5bp/server-configs-apache/commit/22014cba3dea2b23f8b49593a2d8e44a99b97da9)] 31 | * 🎉 Security first! Modernize TLS configuration 32 | [[55c364d](https://github.com/h5bp/server-configs-apache/commit/55c364d185db0b25016e88d20c3e6181c2c22940)] 33 | * 🎉 Security first! Refresh policies-related headers usage 34 | * Add Cross Origin Policies headers (COOP/COEP/CORP) 35 | [[9d2cb74](https://github.com/h5bp/server-configs-apache/commit/9d2cb7496b40d03c03b817b53b19c6282d5eff2d)] 36 | * Add `Permissions-Policy` header 37 | [[86494cc](https://github.com/h5bp/server-configs-apache/commit/86494cc034f459aeb96648944b1f195a05d232ff)] 38 | * Make `Content-Security-Policy` disallow 'object-src' by default 39 | [[f993710](https://github.com/h5bp/server-configs-apache/commit/f9937105c83ab07a6f19890413cebb8e4a70d08c)] 40 | * Add mime-type `image/jxl` 41 | [[da3ce54](https://github.com/h5bp/server-configs-apache/commit/da3ce54293b96b6ae977a6c0f06df4a58ecbfec0)] 42 | * Fix `SSLSessionCache` directive usage 43 | [[64e33e8](https://github.com/h5bp/server-configs-apache/commit/64e33e89509c9ee8f806fb860efc78dc7563fe6c)] 44 | * Improve inline comments. 45 | 46 | ### 4.1.0 (January 5, 2021) 47 | 48 | * Add mime-type `image/avif` and `image/avifs` 49 | [[4ca46af](https://github.com/h5bp/server-configs-apache/commit/4ca46af2dc9791699221ea9e274d46ffe275b061)] 50 | * Fix unexpected Content-Language in pre-compressed Brotli 51 | [[1f5641d](https://github.com/h5bp/server-configs-apache/commit/1f5641d702b05b92c15a60a7c98d5090f03789dd)] 52 | * Added `systemd` module to support CentOS 53 | [[5d060b0](https://github.com/h5bp/server-configs-apache/commit/5d060b0f562dbde5f3f15cc2a250f9d2bc10fb84)] 54 | * Improve inline comments. 55 | 56 | ### 4.0.0 (April 14, 2020) 57 | 58 | * 🎉 Server-level config! Support httpd configuration at main server level. 59 | Add `httpd.conf` file, vhost management, secure HTTP tweaking, etc. See the [README](https://github.com/h5bp/server-configs-apache) 60 | [[b50205a...c302596](https://github.com/h5bp/server-configs-apache/compare/df7857d...c302596)] 61 | * ⚠️ **Breaking**: End of support for Apache httpd version 2.4.9 and below 62 | [[baa9cdd](https://github.com/h5bp/server-configs-apache/commit/baa9cdd5567b25d9434b06937a436ceccadb6b4c)] 63 | * ⚠️ **Breaking**: File paths changes for the `.htaccess` build system 64 | [[478ceab](https://github.com/h5bp/server-configs-apache/commit/478ceab3a28786856a1ffcdf6a943ee43907caf0)] 65 | [[9cb2763](https://github.com/h5bp/server-configs-apache/commit/9cb2763d7f5e3fce984bfdea903e9df61cdf4bcd)] 66 | * Rewrite, improve and update a large part of the documentation 67 | [[5dc823c](https://github.com/h5bp/server-configs-apache/commit/5dc823c18e4a0ee163c2ee3b772060bce7d782e6)] 68 | [[5748d26](https://github.com/h5bp/server-configs-apache/commit/5748d26258394005b4d6dbb2f8474b58ed276e95)] 69 | [[d8553ee](https://github.com/h5bp/server-configs-apache/commit/d8553ee58f307419d9ec39ab8c60fc6a6e1135cb)] 70 | [[6862ac1](https://github.com/h5bp/server-configs-apache/commit/6862ac17ed60042c4eb47b56c8da055e99ad4dac)] 71 | [[ade3659](https://github.com/h5bp/server-configs-apache/commit/ade3659f49b5e23c93695b6888f92bfda3b3f2ed)] 72 | * Default to HSTS only over secure connections 73 | [[5bbc0a1](https://github.com/h5bp/server-configs-apache/commit/5bbc0a1ded8b306ca900338136a50d17eb304b94)] 74 | * Stricter default for Referrer Policy `strict-origin-when-cross-origin` 75 | [[43bcb83](https://github.com/h5bp/server-configs-apache/commit/43bcb833eb0539800e0d3e8a19ad3ef1d6944592)] 76 | * Add APNG (`.apng`) MIME type 77 | [[ad25d31](https://github.com/h5bp/server-configs-apache/commit/ad25d3185fb28971a83e8c721567d7ce08b76f38)] 78 | * Ensure the presence of security headings where expected 79 | [[d656422](https://github.com/h5bp/server-configs-apache/commit/d65642225cf080c15ace94816bed9f15080471b1)] 80 | [[43bcb83](https://github.com/h5bp/server-configs-apache/commit/43bcb833eb0539800e0d3e8a19ad3ef1d6944592)] 81 | [[d84d94c](https://github.com/h5bp/server-configs-apache/commit/d84d94c7e1e3e647a6ff3b0d29a780481a0638d8)] 82 | * Make disabling TRACE method usable in a `.htaccess` file 83 | [[9ae931c](https://github.com/h5bp/server-configs-apache/commit/9ae931cfe5bc4fe8af0fca21094ad93d4437cfaa)] 84 | * Improve inline comments. 85 | 86 | ### 3.2.1 (May 8, 2019) 87 | 88 | * Fix npm releasing 89 | [[4b0ee86](https://github.com/h5bp/server-configs-apache/commit/4b0ee8643c2c4f7dafafca82be67dc3309c0b479)] 90 | 91 | ### 3.2.0 (May 6, 2019) 92 | 93 | * Enhance CSP policy 94 | [[f48934b](https://github.com/h5bp/server-configs-apache/commit/f48934b6a1fe0f7de356f57911844bc006bdd9ec)] 95 | * Common headers addition based on MIME-types instead of file extensions 96 | [[a880772...64cb33d](https://github.com/h5bp/server-configs-apache/compare/012cb6d...64cb33d)] 97 | * Always unset `X-Powered-By` header 98 | [[1470258](https://github.com/h5bp/server-configs-apache/commit/14702588b130451f45cb2c1ae18a42fe70e4a922)] 99 | * Support hashed asset names in cache-busting 100 | [[33f8006](https://github.com/h5bp/server-configs-apache/commit/33f800642a65b6f209243d3c2e266b82dbf7982f)] 101 | * Switch `application/vnd.geo+json` to `application/geo+json` 102 | [[35cbd63](https://github.com/h5bp/server-configs-apache/commit/35cbd63662c491b8025e35cc6362dbfba5aeae82)] 103 | * New test system using [server-configs-test](https://github.com/h5bp/server-configs-test) 104 | [[3ae257c](https://github.com/h5bp/server-configs-apache/commit/3ae257ce57e9458c3a335fe65ff61498d1b0eb45)] 105 | * Improve inline comments. 106 | 107 | ### 3.1.0 (February 8, 2019) 108 | 109 | * Remove P3P iframe cookies directives 110 | [[ccce7b8](https://github.com/h5bp/server-configs-apache/commit/ccce7b85ab9f2c81c7aa66f94c31e2accfc7b22d)] 111 | * Add `TraceEnable Off` directive 112 | [[0a2f70e](https://github.com/h5bp/server-configs-apache/commit/0a2f70e5270f96d08ab94bb5f7a9091bcdc03909)] 113 | * Support hashed asset names in cache-busting 114 | [[33f8006](https://github.com/h5bp/server-configs-apache/commit/33f800642a65b6f209243d3c2e266b82dbf7982f)] 115 | * Allow SSL certificate set up over HTTP 116 | [[54b6176..993127d](https://github.com/h5bp/server-configs-apache/compare/9481d53..993127d)] 117 | * Rename cache expiration rules file to `cache_expiration.conf` to make it more generic 118 | [[11690c6](https://github.com/h5bp/server-configs-apache/commit/11690c60880682973854e17117bd5c3f17cd175a)] 119 | * Improve inline comments. 120 | 121 | ### 3.0.0 (April 16, 2018) 122 | 123 | * ⚠️ **Breaking**: End of support for Apache httpd version 2.3 and below 124 | [[7d296c3](https://github.com/h5bp/server-configs-apache/commit/7d296c35c7337ca183bd31326e10e15d54ca187b)] 125 | * 🎉 New build system! Configurable build and customizable generation. See the [README](https://github.com/h5bp/server-configs-apache#custom-htaccess-builds) 126 | [[5896349](https://github.com/h5bp/server-configs-apache/commit/589634974291a4a9ee1fd2a99c23794036e9aace)] 127 | * Add Referrer-Policy header template 128 | [[591083e](https://github.com/h5bp/server-configs-apache/commit/591083eedc654837c051ca1aff4282444dc06471)] 129 | * Switch back `.js`-files and `.mjs`-files media-type to `text/javascript` 130 | [[690f4ad](https://github.com/h5bp/server-configs-apache/commit/690f4ad6add3a3c2185641474e05378000a19d84)] 131 | * Add pre-compressed content handling template 132 | [[52639ab](https://github.com/h5bp/server-configs-apache/commit/52639ab1fa97d666f3b262e04f70ab3ce020d0d0)] 133 | * Add WebAssembly module (`.wasm`) MIME type 134 | [[a2e7d7b](https://github.com/h5bp/server-configs-apache/commit/a2e7d7b38cf96b804a7323362ee72950e51810f5)] 135 | * Improve inline comments. 136 | 137 | ### 2.15.0 (October 8, 2017) 138 | 139 | * Serve `.md` and `.markdown` files as `text/markdown` 140 | [[bfcafd3](https://github.com/h5bp/server-configs-apache/commit/bfcafd36b42f8118306ce3f9c17d6463692b4be0)]. 141 | * Add font MIME types per RFC 8081 142 | [[20b446e](https://github.com/h5bp/server-configs-apache/commit/20b446e2ad6e1eec68b50277a894876e41395403)]. 143 | * Mark `.mjs` files as JavaScript 144 | [[c00975c](https://github.com/h5bp/server-configs-apache/commit/c00975c74bde80175684314c883c09ab04b5bccc)]. 145 | * Add calendar filetype (`.ics`) 146 | [[002a110](https://github.com/h5bp/server-configs-apache/commit/002a110bf35c25af66ab09ef1bd724ece5fd8266)]. 147 | * Block Mercurial `.orig` files 148 | [[4c13648](https://github.com/h5bp/server-configs-apache/commit/4c1364885477e836fec24a6d8330cba69cf3d3a0)]. 149 | * Fix enforcing www/no-www with HTTPS 150 | [[fc747bb](https://github.com/h5bp/server-configs-apache/commit/fc747bbdf0a0c224ec08d8b925f33671e4d5046d)]. 151 | * Drop Bower support 152 | [[ee6cd75](https://github.com/h5bp/server-configs-apache/commit/ee6cd751f0b907239a032ec5477ee3bfbc2bc570)]. 153 | * Fix HTTPS enforcement rule 154 | [[11e523d](https://github.com/h5bp/server-configs-apache/commit/11e523d10ad8bb604fe692ec8d1fd40adc0010fa)]. 155 | * Improve inline comments. 156 | 157 | ### 2.14.0 (April 4, 2015) 158 | 159 | * Update the web app manifest file related configs 160 | [[e603554](https://github.com/h5bp/server-configs-apache/commit/e603554f559b1be4861553239e22a7844075bedc)]. 161 | 162 | ### 2.13.0 (March 4, 2015) 163 | 164 | * Remove the mapping of `.manifest` files to the `text/cache-manifest` media type 165 | [[c805353](https://github.com/h5bp/server-configs-apache/commit/c805353c4142c792267945687309259fc15b2106)]. 166 | * Remove the mapping of `.php` files to the `text/html` media type 167 | [[daab35b](https://github.com/h5bp/server-configs-apache/commit/daab35bc91c299da23efdfa740f13a46ad10612a)]. 168 | 169 | ### 2.12.0 (March 2, 2015) 170 | 171 | * Add `ServerSignature Off` 172 | [[#58](https://github.com/h5bp/server-configs-apache/issues/58)]. 173 | * Change media types for `.atom` and `.rss` files 174 | [[#50](https://github.com/h5bp/server-configs-apache/issues/50)]. 175 | * Send the HSTS header even for non-2xx responses 176 | [[#57](https://github.com/h5bp/server-configs-apache/issues/57)]. 177 | * Add configs that remove the `X-Powered-By` HTTP response header 178 | [[#54](https://github.com/h5bp/server-configs-apache/issues/54)]. 179 | * Add expires rules for WebP 180 | [[#61](https://github.com/h5bp/server-configs-apache/issues/61)]. 181 | 182 | ### 2.11.0 (October 27, 2014) 183 | 184 | * Add configs for common media types used for `.woff` files 185 | [[e602ae9](https://github.com/h5bp/server-configs-apache/commit/e602ae9e62412d95fba377abfb66ef2f773cfc4d)]. 186 | * Add configs for files marked as `text/x-cross-domain-policy` 187 | [[a0c4e17](https://github.com/h5bp/server-configs-apache/commit/a0c4e1719075bf1d97d92a3b0ad225c7bff5dfab)]. 188 | * Add configs for files marked as `image/vnd.microsoft.icon` 189 | [[0ba37cb](https://github.com/h5bp/server-configs-apache/commit/0ba37cb77de29b29e44145046a936483aeb1bfc5)]. 190 | * Add configs for files marked as `font/eot` 191 | [[6dae5d4](https://github.com/h5bp/server-configs-apache/commit/6dae5d4e063db5d70a3a7abecadb97707b6fdf2c)]. 192 | 193 | ### 2.10.0 (October 20, 2014) 194 | 195 | * Add `bower.json` and publish on `Bower` 196 | [[3425f72](https://github.com/h5bp/server-configs-apache/commit/3425f72c626cc70fabcf8fbac76565063249a518)]. 197 | * Improve inline comments. 198 | * Add configs for files marked as `application/x-javascript` 199 | [[23793d8](https://github.com/h5bp/server-configs-apache/commit/23793d85f3c13a5f239538156021748c98b40183)]. 200 | * Add configs for bitmap image files (`.bmp`) 201 | [[77ccf9e](https://github.com/h5bp/server-configs-apache/commit/77ccf9ec101b20c14a05fdfb50c2db47ed490ad4)]. 202 | * Compress vCard files (`.vcard`/`.vcf`). 203 | [[a076635](https://github.com/h5bp/server-configs-apache/commit/a0766359454887192914dcd5f042bce281b2170d)]. 204 | * Serve vCard files (`.vcard`/`.vcf`) with the `text/vcard` media type 205 | [[104f232](https://github.com/h5bp/server-configs-apache/commit/104f232dad100ddd5c8cf0c354c2bcd163a6b915)]. 206 | * Add configs for BlackBerry Maps location documents (`.xloc`) 207 | [[20000d1](https://github.com/h5bp/server-configs-apache/commit/20000d1741701eede2e0903b2b86992d8b70c35a)]. 208 | * Add configs for BlackBerry App World files (`.bbaw`) 209 | [[352fb62](https://github.com/h5bp/server-configs-apache/commit/352fb62daae4b57cf605c1eb3a836385f6f7e01f)]. 210 | 211 | ### 2.9.0 (October 15, 2014) 212 | 213 | * Update example regarding forcing `https://` 214 | [[060b70c](https://github.com/h5bp/server-configs-apache/commit/060b70c1428f5a2b3cc4e42ac66c1b7d75ae3bc9)]. 215 | 216 | ### 2.8.0 (September 13, 2014) 217 | 218 | * Improve configs for `.rdf` files 219 | [[742d148](https://github.com/h5bp/server-configs-apache/commit/742d148ca497ef07a31d3bd648af29c129f4b62c)]. 220 | * Add example on how to allow cross-origin access to the resource's 221 | timing information 222 | [[3df6768](https://github.com/h5bp/server-configs-apache/commit/3df6768e786b7595a656da1675b10c87e7ce18b9)]. 223 | * Add configs for files marked as `text/javascript` 224 | [[db69327](https://github.com/h5bp/server-configs-apache/commit/db6932740a90a36cbbf8b38627fc034d595471c0)]. 225 | * Add configs for JSON Schema files (`.json`) 226 | [[#39](https://github.com/h5bp/server-configs-apache/issues/39)]. 227 | 228 | ### 2.7.1 (August 3, 2014) 229 | 230 | * Update `package.json` and publish on `npm` 231 | [[#33](https://github.com/h5bp/server-configs-apache/issues/33)]. 232 | 233 | ### 2.7.0 (July 28, 2014) 234 | 235 | * Add configs for TopoJSON files (`.topojson`) 236 | [[#34](https://github.com/h5bp/server-configs-apache/issues/34)]. 237 | 238 | ### 2.6.0 (July 3, 2014) 239 | 240 | * Add configs for WOFF 2.0 font files (`.woff2`) 241 | [[#32](https://github.com/h5bp/server-configs-apache/issues/32)]. 242 | * Add configs for GeoJSON files (`.geojson`) 243 | [[16d3965](https://github.com/h5bp/server-configs-apache/commit/16d39657164a397c8584843296fa04dc297c4b55)]. 244 | 245 | ### 2.5.0 (June 14, 2014) 246 | 247 | * Compress cache manifest files (`.appcache`/`.manifest`) 248 | [[d819fec](https://github.com/h5bp/server-configs-apache/commit/d819fecd81e1d23fb5f153995f573890b037a82c)]. 249 | * Move all compression related configs under the `Compression` section 250 | [[73a107e](https://github.com/h5bp/server-configs-apache/commit/73a107ed0cb9ae4b3ec966e8e246b7a6f4bbd059)]. 251 | 252 | ### 2.4.1 (June 7, 2014) 253 | 254 | * Improve and update inline comments. 255 | 256 | ### 2.4.0 (June 3, 2014) 257 | 258 | * Add configs for web application manifest files 259 | [[#29](https://github.com/h5bp/server-configs-apache/issues/29)]. 260 | * Allow access to the content from within the `/.well-known/` directory 261 | [[#31](https://github.com/h5bp/server-configs-apache/issues/31)]. 262 | * Forbid access to `.conf` files. 263 | * Add the `no-transform` value to the `Cache-Control` HTTP response 264 | header without overwriting existing values. 265 | * Add `cur`, `ico`, `svg`, `svgz` and `webp` to the filename-based 266 | cache busting list. 267 | * Add configs for text files (`.txt`) 268 | [[b5bda65](https://github.com/h5bp/server-configs-apache/commit/b5bda651d2811f8f3c1f061ee97d0404ebfe8468)]. 269 | * Compress WebVTT files (`.vtt`) 270 | [[0bb12c8](https://github.com/h5bp/server-configs-apache/commit/0bb12c832be9865bcfdaa1042b64381e7d723560)]. 271 | * Reintroduce the `filename extension` to `content type` mappings for `ico` 272 | and `svg` [[#28](https://github.com/h5bp/server-configs-apache/issues/28)]. 273 | 274 | ### 2.3.0 (April 10, 2014) 275 | 276 | * Send `X-Content-Type-Options` header by default 277 | [[edd912d](https://github.com/h5bp/server-configs-apache/commit/edd912d9f76602c9d29ae087ff4e176632a0f656)]. 278 | 279 | ### 2.2.0 (February 3, 2014) 280 | 281 | * Remove example regarding `persistent connections` 282 | [[#20](https://github.com/h5bp/server-configs-apache/issues/20)]. 283 | * Improve the `` regular expressions. 284 | * Add configs for JSON-LD (JSON for Linking Data) files 285 | [[#17](https://github.com/h5bp/server-configs-apache/issues/17)]. 286 | 287 | ### 2.1.0 (December 31, 2013) 288 | 289 | * Serve source map files with the `application/json` content-type 290 | [[7d114e8](https://github.com/h5bp/server-configs-apache/commit/7d114e8eeacadaf30768d60f7f522b3558e83676)]. 291 | * Make `RewriteCond`s for `example.com → www.example.com` more permissive 292 | [[#11](https://github.com/h5bp/server-configs-apache/issues/11)]. 293 | * Add configs for Ogg Opus audio files 294 | [[#13](https://github.com/h5bp/server-configs-apache/issues/13)]. 295 | 296 | ### 2.0.0 (November 12, 2013) 297 | 298 | * Add example on how to mitigate reflected (a.k.a non-persistent) XSS attacks 299 | [[#8](https://github.com/h5bp/server-configs-apache/issues/8)]. 300 | * Add example on how to provide clickjacking protection 301 | [[#8](https://github.com/h5bp/server-configs-apache/issues/8)]. 302 | * Add example on how to reduce MIME type security risks 303 | [[#8](https://github.com/h5bp/server-configs-apache/issues/8)]. 304 | * Add configs for cursor images (`.cur`) 305 | [[a795fff](https://github.com/h5bp/server-configs-apache/commit/a795fff87871c020cf29bb60f208b7afe2bb5b3a)]. 306 | * Fix backup and source file blocking for Apache v2.3+ 307 | [[#5](https://github.com/h5bp/server-configs-apache/issues/5)]. 308 | * Remove filename extension to content type mappings that are already provided 309 | by Apache v2.2.0+ 310 | [[#4](https://github.com/h5bp/server-configs-apache/issues/4)]. 311 | * Improve inline comments. 312 | * Remove `screen flicker` fix required by IE 6 313 | [[#3](https://github.com/h5bp/server-configs-apache/issues/3)]. 314 | 315 | ### 1.1.0 (July 27, 2013) 316 | 317 | * Remove Chrome Frame HTTP header hint. 318 | 319 | ### 1.0.0 (July 27, 2013) 320 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Copyright (c) H5BP 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies 7 | of the Software, and to permit persons to whom the Software is furnished to do 8 | so, subject to the following conditions: 9 | 10 | The above copyright notice and this permission notice shall be included in 11 | all copies or substantial portions of the Software. 12 | 13 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 14 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 15 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 16 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 17 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 18 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 19 | SOFTWARE. 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # [Apache Server Configs](https://github.com/h5bp/server-configs-apache) 2 | 3 | [![Server CI](https://github.com/h5bp/server-configs-apache/actions/workflows/server.yml/badge.svg)](https://github.com/h5bp/server-configs-apache/actions/workflows/server.yml) 4 | 5 | **Apache Server Configs** is a collection of configuration snippets that can help 6 | your server improve the website's performance and security, while also 7 | ensuring that resources are served with the correct content-type and are 8 | accessible, if needed, even cross-domain. 9 | 10 | 11 | ## Getting Started 12 | 13 | There are two options for getting the Apache server configs: 14 | 15 | * If you have access to the [main server configuration 16 | file](https://httpd.apache.org/docs/current/configuring.html#main) 17 | (usually called `httpd.conf`), you should configure Apache this way. 18 | This is usually the recommended way, as using `.htaccess` files [slows 19 | down](https://httpd.apache.org/docs/current/howto/htaccess.html#when) 20 | Apache! 21 | * If you don't have access to it, which is quite common with hosting services, 22 | checkout the [`.htaccess` guide](#htaccess-file). 23 | 24 | Using the Apache server configs repo directly has a few required steps to be able to work. 25 | 26 | See also the [Apache Getting Started](https://httpd.apache.org/docs/current/getting-started.html). 27 | 28 | ### Check `httpd.conf` settings 29 | 30 | The first thing to check is that the `httpd.conf` file contains appropriate values for 31 | your specific install. 32 | 33 | Most specific variables are: 34 | 35 | * `ServerRoot` 36 | * `User` 37 | * `Group` 38 | * `ErrorLog` 39 | * `CustomLog` 40 | * `TypesConfig` (ensure that the path for the `mime.types` file is valid) 41 | 42 | ### Apache test and restart 43 | 44 | * To verify Apache config 45 | 46 | ```shell 47 | apache2 -t 48 | ``` 49 | 50 | * To verify Apache config with a custom file 51 | 52 | ```shell 53 | apache2 -t -f httpd.conf 54 | ``` 55 | 56 | * To reload Apache and apply the new config 57 | 58 | ```shell 59 | apache2ctl reload 60 | ``` 61 | 62 | ### Enable Apache httpd modules 63 | 64 | Some configurations won't have any effect if the 65 | appropriate modules aren't enabled. So, in order for everything 66 | to work as intended, you need to ensure you have the following 67 | Apache modules enabled: 68 | 69 | * [`mod_autoindex.c` (autoindex_module)](https://httpd.apache.org/docs/current/mod/mod_autoindex.html) 70 | * [`mod_deflate.c` (deflate_module)](https://httpd.apache.org/docs/current/mod/mod_deflate.html) 71 | * [`mod_expires.c` (expires_module)](https://httpd.apache.org/docs/current/mod/mod_expires.html) 72 | * [`mod_filter.c` (filter_module)](https://httpd.apache.org/docs/current/mod/mod_filter.html) 73 | * [`mod_headers.c` (headers_module)](https://httpd.apache.org/docs/current/mod/mod_headers.html) 74 | * [`mod_include.c` (include_module)](https://httpd.apache.org/docs/current/mod/mod_include.html) 75 | * [`mod_mime.c` (mime_module)](https://httpd.apache.org/docs/current/mod/mod_mime.html) 76 | * [`mod_rewrite.c` (rewrite_module)](https://httpd.apache.org/docs/current/mod/mod_rewrite.html) 77 | * [`mod_setenvif.c` (setenvif_module)](https://httpd.apache.org/docs/current/mod/mod_setenvif.html) 78 | 79 | For more detailed information on configuration files and how to 80 | use them, please check the appropriate Apache documentation: 81 | 82 | * 83 | * 84 | 85 | #### Standalone 86 | 87 | These instructions should work on any distribution where `apt-get` has been 88 | used to install Apache. 89 | 90 | 1. Open up a terminal and type the following command. Enter your password when 91 | prompted. 92 | 93 | ```shell 94 | sudo a2enmod setenvif headers deflate filter expires rewrite include 95 | ``` 96 | 97 | 2. Restart apache by using the following command, so the new configuration takes 98 | effect. 99 | 100 | ```shell 101 | sudo /etc/init.d/apache2 restart 102 | ``` 103 | 104 | #### With MAMP/WAMP/XAMPP 105 | 106 | * **MAMP PRO**. On the main screen, click the `Apache` tab and ensure that all 107 | the required modules are 'checked', indicating they are enabled. 108 | 109 | * **WampServer**. If you have installed WampServer just click on the icon in the 110 | task bar then Apache section then modules section. 111 | You will be presented with a list of modules. Simply click on a module name 112 | to enable it. WampServer will automatically restart the Apache service after 113 | you enable a module. 114 | 115 | * **Others**. Locate the `httpd.conf` file, which is typically found in: 116 | * **MAMP**: `/Applications/MAMP/conf/apache/httpd.conf` 117 | * **XAMPP**: `/Applications/XAMPP/etc/httpd.conf` 118 | * **WAMP**: `C:\apache\conf\httpd.conf` 119 | 120 | Open the file in a text editor and uncomment all the required modules. 121 | Once you have done so, reset MAMP/WAMP/XAMPP. 122 | 123 | ### Basic structure 124 | 125 | This repository has the following structure: 126 | 127 | ```text 128 | ./ 129 | ├── vhosts/ 130 | │ ├── 000-default.conf 131 | │ └── templates/ 132 | ├── h5bp/ 133 | │ ├── basic.conf 134 | │ └── .../ 135 | └── httpd.conf 136 | ``` 137 | 138 | * **`vhosts/`** 139 | 140 | This directory should contain all the server definitions. 141 | 142 | Except if they are dot prefixed or non `.conf` extension, all files in this 143 | folder **are** loaded automatically. 144 | 145 | * **`templates` folder** 146 | 147 | Files in this folder contain a `` template for secure and non-secure hosts. 148 | They are intended to be copied in the `vhosts` folder with all `example.com` 149 | occurrences changed to the target host. 150 | 151 | * **`h5bp/`** 152 | 153 | This directory contains config snippets (mixins) to be included as desired. 154 | 155 | There are two types of config files provided, individual config snippets and 156 | combined config files which provide convenient defaults. 157 | 158 | * **`basic.conf`** 159 | 160 | This file loads a small subset of the rules provided by this repository to add 161 | expires headers, allow cross-domain fonts and protect system files from web 162 | access. 163 | The `basic.conf` file includes the rules which are recommended to always be 164 | defined. 165 | 166 | * **`httpd.conf`** 167 | 168 | The main Apache config file. 169 | 170 | 171 | ## Usage 172 | 173 | The [default location of the configuration files](https://httpd.apache.org/docs/current/getting-started.html#configuration) is `/usr/local/apache2/`, but these files may be located any of a variety of places, depending on how exactly you installed the server. 174 | Common locations for these files may be found [in the httpd wiki](http://wiki.apache.org/httpd/DistrosDefaultLayout). 175 | 176 | ### As a reference 177 | 178 | To use as reference requires no special installation steps, download/checkout the 179 | repository to a convenient location and adapt your existing httpd configuration 180 | incorporating the desired functionality from this repository. 181 | 182 | Download the [latest release archive](https://github.com/h5bp/server-configs-apache/releases/latest). 183 | 184 | ### Directly 185 | 186 | To use directly, add httpd config files from this repository. 187 | For example: 188 | 189 | ```shell 190 | apache2ctl stop 191 | git clone https://github.com/h5bp/server-configs-apache.git /tmp/h5bp-apache 192 | cd /usr/local 193 | cp -r apache2 apache2-previous 194 | cp -r /tmp/h5bp-apache/* apache2 195 | # install-specific edits 196 | apache2ctl start 197 | ``` 198 | 199 | ### Manage sites 200 | 201 | ```bash 202 | cd /usr/local/apache2/vhosts 203 | ``` 204 | 205 | * Creating a new site 206 | 207 | ```bash 208 | cp templates/example.com.conf .actual-hostname.conf 209 | sed -i 's/example.com/actual-hostname/g' .actual-hostname.conf 210 | ``` 211 | 212 | * Enabling a site 213 | 214 | ```bash 215 | mv .actual-hostname.conf actual-hostname.conf 216 | ``` 217 | 218 | * Disabling a site 219 | 220 | ```bash 221 | mv actual-hostname.conf .actual-hostname.conf 222 | ``` 223 | 224 | ```bash 225 | apache2ctl reload 226 | ``` 227 | 228 | 229 | ## `.htaccess` file 230 | 231 | ### Usage 232 | 233 | Just copy the `.htaccess` file in the root of the website. 234 | 235 | Getting options: 236 | 237 | * Download the `h5bp.htaccess` on the [latest release](https://github.com/h5bp/server-configs-apache/releases/latest) 238 | and rename the file to `.htaccess` 239 | * Install them via [npm](https://www.npmjs.com/): `npm install --save-dev apache-server-configs` 240 | Inside the `dist/` folder, you'll find a ready-to-use `.htaccess` file. 241 | 242 | ### Custom `.htaccess` builds 243 | 244 | Security, mime-type, and caching best practices evolve, and so should do your 245 | `.htaccess` file. In the past, with each new *Apache Server Configs* release 246 | it was quite tedious to find out which `.htaccess` trick was just new or only 247 | had changes in certain nuances. 248 | 249 | The [**build script**](#build-script-buildsh) with its re-usable and customizable 250 | [**build configuration**](#configuration-file-htaccessconf) lets you easily 251 | update your `.htaccess` file. Each new `.htaccess` build will contain the 252 | updated *Apache Server Configs* source files, enabled or commented-out according 253 | to your settings in the `htaccess.conf` of your project root. 254 | 255 | #### Configuration file: `htaccess.conf` 256 | 257 | It allows you to define which module to [enable](#enabling-modules) or 258 | [disable](#disabling-modules) for your project. Just copy the default 259 | [`htaccess.conf`](https://github.com/h5bp/server-configs-apache/blob/main/bin/htaccess.conf) 260 | from this repo into your project directory. Adjust to your needs, and/or 261 | [add custom code](#adding-custom-modules) snippets you need for your project. 262 | Its syntax is straight and pretty much self-explanatory: 263 | 264 | ```apache 265 | # Example Module 266 | 267 | title "example module" 268 | enable "src/example-module/images.conf" 269 | enable "src/example-module/web_fonts.conf" 270 | disable "src/example-module/not-needed.conf" 271 | omit "src/example-module/not-needed-at-all.conf" 272 | 273 | #... more modules ... 274 | ``` 275 | 276 | ##### Disabling modules 277 | 278 | For example, the *“Cross-origin web fonts”* snippet is always included in 279 | our pre-built `.htaccess` file and enabled. If your project does not deal 280 | with web fonts, you can `disable` or `omit` this section: 281 | 282 | This will comment out the section: 283 | 284 | ```apache 285 | disable "h5bp/cross-origin/web_fonts.conf" 286 | ``` 287 | 288 | …and this will exclude the section, saving lines in output: 289 | 290 | ```apache 291 | omit "h5bp/cross-origin/web_fonts.conf" 292 | ``` 293 | 294 | ##### Enabling modules 295 | 296 | For example, the *“Forcing `https://`”* snippet is disabled by default, 297 | although being included in our pre-built `.htaccess`. To enable this 298 | snippet, change the `disable` keyword to `enable`: 299 | 300 | ```apache 301 | enable "h5bp/rewrites/rewrite_http_to_https.conf" 302 | ``` 303 | 304 | ##### Controlling the size of the output .htaccess file 305 | 306 | The default partials contain significant numbers of comment lines, which 307 | contain valuable guidance about how and why to use the setting as well 308 | as web references. However, some may feel that the size of the resulting 309 | `.htaccess` file is too large. 310 | 311 | The special keyword `no-partials-comments` can be used to prevent 312 | comment lines from being copied out of the partials into `.htaccess`. 313 | 314 | > [!Note] 315 | > This keyword does not control comments created by the build 316 | > script (such as `title` or `disabled` directives), only those that 317 | > are in the source partials files. 318 | 319 | ```apache 320 | no-partials-comments 321 | ``` 322 | 323 | ##### Adding custom modules 324 | 325 | Imagine you're passing all requests to non-existing files to your 326 | favorite web framework. The according 327 | [_mod_dir_](https://httpd.apache.org/docs/trunk/mod/mod_dir.html#fallbackresource) 328 | snippet would go like this: 329 | 330 | ```apache 331 | FallbackResource index.php 332 | ``` 333 | 334 | Store this snippet in a file, e.g. `config/framework_rewrites.conf`, and add 335 | a reference in your `htaccess.conf`: 336 | 337 | ```apache 338 | # PROJECT MODULES 339 | enable "config/framework_rewrites.conf" 340 | ``` 341 | 342 | #### Build script: `build.sh` 343 | 344 | Dive into your project root and call the build script from wherever you cloned 345 | the repo. Here are three examples: 346 | 347 | 1. Create a default `.htaccess` 348 | 349 | Create a default `.htaccess` in the current work directory. An existing 350 | `htaccess.conf` in this directory will be used; if none is present, the 351 | [**default configuration**](https://github.com/h5bp/server-configs-apache/blob/main/bin/htaccess.conf) 352 | will apply. 353 | 354 | 355 | ```console 356 | $ path/to/server-configs-apache/bin/build.sh 357 | 358 | # Output looks like: 359 | [✔] Build .htaccess 360 | [✔] Moved in place: './.htaccess' 361 | ``` 362 | 363 | 2. Custom output location 364 | 365 | Just add an output path and filename as a parameter. By the way, if there's an 366 | existing `.htaccess` file, the build script will create a backup. 367 | 368 | ```console 369 | $ path/to/server-configs-apache/bin/build.sh htdocs/.htaccess 370 | [✔] Build .htaccess 371 | [✔] Create backup: 'htdocs/.htaccess~' 372 | [✔] Moved in place: 'htdocs/.htaccess' 373 | ``` 374 | 375 | 3. Custom `.htaccess` configuration 376 | 377 | Why not maintain your personal `~/htaccess.conf`? This example creates a 378 | `.htaccess` in the current work directory, according to your favorite settings 379 | you may have stored in your `$HOME` directory: 380 | 381 | ```bash 382 | path/to/server-configs-apache/bin/build.sh ./.htaccess ~/htaccess.conf 383 | ``` 384 | 385 | 386 | ## Support 387 | 388 | * Apache v**2.4.17**+ 389 | 390 | 391 | ## Contributing 392 | 393 | Anyone is welcome to [contribute](.github/CONTRIBUTING.md), 394 | however, if you decide to get involved, please take a moment to review 395 | the [guidelines](.github/CONTRIBUTING.md): 396 | 397 | * [Bug reports](.github/CONTRIBUTING.md#bugs) 398 | * [Feature requests](.github/CONTRIBUTING.md#features) 399 | * [Pull requests](.github/CONTRIBUTING.md#pull-requests) 400 | 401 | 402 | ## Acknowledgements 403 | 404 | [Apache Server Configs](https://github.com/h5bp/server-configs-apache/) is 405 | only possible thanks to all the awesome 406 | [contributors](https://github.com/h5bp/server-configs-apache/graphs/contributors)! 407 | 408 | 409 | ## License 410 | 411 | The code is available under the [MIT license](LICENSE.txt). 412 | -------------------------------------------------------------------------------- /bin/build.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | declare htaccess_config_default="bin/htaccess.conf"; 4 | declare htaccess_output_default="./.htaccess" 5 | declare repo_root 6 | repo_root=$(dirname "$(dirname "$(realpath "$0")")") 7 | 8 | declare input_filter_noop='/.|^$/!d' 9 | declare input_filter_comments='/^[[:blank:]]*#/d' 10 | declare input_filter=${input_filter_noop} 11 | 12 | declare output_filter_noop='/.|^$/!d' 13 | declare output_filter_comment='/^[[:blank:]]*[#]+|^$/! s/^/# /' 14 | 15 | 16 | # ---------------------------------------------------------------------- 17 | # | Helper functions | 18 | # ---------------------------------------------------------------------- 19 | 20 | create_htaccess() { 21 | local file="${1}" 22 | local config="${2}" 23 | 24 | local version 25 | version=$(grep version < "${repo_root}/package.json" | \ 26 | head -1 | awk -F: '{ print $2 }' | sed 's/[",\t ]//g') 27 | 28 | insert_line "# Apache Server Configs v$version | MIT License" "$file" 29 | insert_line "# https://github.com/h5bp/server-configs-apache" "$file" 30 | insert_line "" "$file" 31 | insert_line "# (!) Using \`.htaccess\` files slows down Apache, therefore, if you have" "$file" 32 | insert_line "# access to the main server configuration file (which is usually" "$file" 33 | insert_line "# called \`httpd.conf\`), you should add this logic there." "$file" 34 | insert_line "#" "$file" 35 | insert_line "# https://httpd.apache.org/docs/current/howto/htaccess.html" "$file" 36 | insert_line "" "$file" 37 | 38 | 39 | while IFS=$" " read -r keyword filename; do 40 | 41 | # Skip lines which 42 | [[ "${keyword}" =~ ^[[:space:]]*# ]] && continue 43 | [ -z "${keyword}" ] && continue 44 | 45 | # Remove quotes surrounding 46 | filename="${filename%\"}" 47 | filename="${filename#\"}" 48 | 49 | # Evaluate 50 | case "${keyword}" in 51 | "title") 52 | insert_header "${filename}" "$file" 53 | insert_line "" "$file" 54 | ;; 55 | "enable") 56 | if [ ! -f "${filename}" ]; then 57 | filename="${repo_root}/${filename}" 58 | fi 59 | 60 | if [ ! -f "${filename}" ]; then 61 | print_error ".htaccess partial '${filename}' does not exist." 62 | exit 1 63 | fi 64 | 65 | insert_file "${filename}" "$file" "${input_filter}" "${output_filter_noop}" 66 | insert_line "" "$file" 67 | ;; 68 | "disable") 69 | if [ ! -f "${filename}" ]; then 70 | filename="${repo_root}/${filename}" 71 | fi 72 | 73 | if [ ! -f "${filename}" ]; then 74 | print_error ".htaccess partial '${filename}' does not exist." 75 | exit 1 76 | fi 77 | 78 | insert_file "${filename}" "$file" "${input_filter}" "${output_filter_comment}" 79 | insert_line "" "$file" 80 | ;; 81 | "omit") 82 | # noop 83 | ;; 84 | "no-partials-comments") 85 | input_filter=${input_filter_comments} 86 | print_info "Not copying comments from partials." 87 | ;; 88 | *) 89 | print_error "Invalid keyword '${keyword}' for entry '${filename}'" 90 | exit 1 91 | ;; 92 | esac 93 | 94 | done < "${config}" 95 | } 96 | 97 | insert_line() { 98 | printf "$1\\n" >> "$2" 99 | } 100 | 101 | insert_file() { 102 | cat "${1}" | sed -E "${3}" | sed -E "${4}" | cat -s >> "${2}" 103 | } 104 | 105 | insert_header() { 106 | local title 107 | title=$(printf "$1" | tr '[:lower:]' '[:upper:]') 108 | 109 | insert_line "# ######################################################################" "$2" 110 | insert_line "# # $title $(insert_space "$title") #" "$2" 111 | insert_line "# ######################################################################" "$2" 112 | } 113 | 114 | insert_space() { 115 | total=65 116 | occupied=$(printf "$1" | wc -c) 117 | difference=$((total - occupied)) 118 | printf '%0.s ' $(seq 1 $difference) 119 | } 120 | 121 | print_error() { 122 | # Print output in red 123 | printf "\\e[0;31m [✖] $1 $2\\e[0m\\n" 124 | } 125 | 126 | print_info() { 127 | # Print output in purple 128 | printf "\\n\\e[0;35m $1\\e[0m\\n\\n" 129 | } 130 | 131 | print_success() { 132 | # Print output in green 133 | printf "\\e[0;32m [✔] $1\\e[0m\\n" 134 | } 135 | 136 | # ---------------------------------------------------------------------- 137 | # | Main | 138 | # ---------------------------------------------------------------------- 139 | 140 | main() { 141 | local htaccess_output="${1}" 142 | local htaccess_config="${2}" 143 | local htaccess_output_directory 144 | htaccess_output_directory=$(dirname "${htaccess_output}") 145 | 146 | if [ -z "${htaccess_config}" ]; then 147 | if [ -f "${PWD}/${htaccess_config_default}" ]; then 148 | htaccess_config="${PWD}/${htaccess_config_default}" 149 | else 150 | htaccess_config="${repo_root}/${htaccess_config_default}" 151 | fi; 152 | fi 153 | 154 | if [ ! -f "${htaccess_config}" ]; then 155 | print_error "'${htaccess_config}' does not exist." 156 | exit 1 157 | fi 158 | 159 | mkdir -p "${htaccess_output_directory}" 160 | 161 | if [ -f "${htaccess_output}" ]; then 162 | cp "${htaccess_output}" "${htaccess_output}.old" 163 | print_info "File already exist, create backup" 164 | fi 165 | 166 | rm -f "${htaccess_output}" 167 | create_htaccess "${htaccess_output}" "${htaccess_config}" 168 | 169 | if [ $? ]; then # Success 170 | print_success "Build ${htaccess_output}" 171 | else 172 | print_error "Error while building ${htaccess_output}" 173 | if [ -f "${htaccess_output}.old" ]; then 174 | cp "${htaccess_output}.old" "${htaccess_output}" 175 | fi 176 | fi 177 | } 178 | 179 | main "${1:-$htaccess_output_default}" "${2}" 180 | -------------------------------------------------------------------------------- /bin/htaccess.conf: -------------------------------------------------------------------------------- 1 | # htaccess.conf 2 | # 3 | # This file defines which .htaccess module partials 4 | # are enabled or disabled. 5 | # 6 | # Each entry consists of a "keyword" and "filename", 7 | # separated by at least one space character. 8 | # 9 | # - keyword: one of "title", "enable", "disable", or "omit". 10 | # - filename: may be quoted if the filename has spaces. 11 | # 12 | # Example: 13 | # 14 | # title "cross-origin" 15 | # enable "path/to/a.conf" 16 | # disable "path/to/b.conf" 17 | # omit "path/to/not-needed.conf" 18 | # 19 | # Special keyword "no-partials-comments" can be included to 20 | # prevent the comments in the input partials from being copied 21 | # into the output .htaccess file. 22 | # 23 | # This keyword: 24 | # - does not override "title" and "disable" keywords. Comments 25 | # arising from these keywords will appear in the output. 26 | # - can build a streamlined "for production" .htaccess file. 27 | 28 | 29 | # ---------------------------------------------------------------------- 30 | # | Comment control | 31 | # ---------------------------------------------------------------------- 32 | 33 | # no-partials-comments 34 | 35 | 36 | # ---------------------------------------------------------------------- 37 | # | Partials definitions | 38 | # ---------------------------------------------------------------------- 39 | 40 | 41 | # Module "cross-origin" 42 | 43 | title "cross-origin" 44 | disable "h5bp/cross-origin/requests.conf" 45 | enable "h5bp/cross-origin/images.conf" 46 | enable "h5bp/cross-origin/web_fonts.conf" 47 | disable "h5bp/cross-origin/resource_timing.conf" 48 | 49 | 50 | 51 | # Module "errors" 52 | 53 | title "errors" 54 | disable "h5bp/errors/custom_errors.conf" 55 | enable "h5bp/errors/error_prevention.conf" 56 | 57 | 58 | 59 | # Module "media types and character encodings" 60 | 61 | title "media types and character encodings" 62 | enable "h5bp/media_types/media_types.conf" 63 | enable "h5bp/media_types/character_encodings.conf" 64 | 65 | 66 | 67 | # Module "rewrites" 68 | 69 | title "rewrites" 70 | enable "h5bp/rewrites/rewrite_engine.conf" 71 | disable "h5bp/rewrites/rewrite_http_to_https.conf" 72 | enable "h5bp/rewrites/rewrite_nowww.conf" 73 | disable "h5bp/rewrites/rewrite_www.conf" 74 | 75 | 76 | 77 | # Module "security" 78 | 79 | title "security" 80 | disable "h5bp/security/x-frame-options.conf" 81 | disable "h5bp/security/content-security-policy.conf" 82 | enable "h5bp/security/file_access.conf" 83 | disable "h5bp/security/strict-transport-security.conf" 84 | enable "h5bp/security/x-content-type-options.conf" 85 | disable "h5bp/security/referrer-policy.conf" 86 | disable "h5bp/security/cross-origin-policy.conf" 87 | disable "h5bp/security/permissions-policy.conf" 88 | disable "h5bp/security/trace_method.conf" 89 | enable "h5bp/security/x-powered-by.conf" 90 | enable "h5bp/security/server_software_information.conf" 91 | 92 | 93 | 94 | # Module "web performance" 95 | 96 | title "web performance" 97 | enable "h5bp/web_performance/compression.conf" 98 | disable "h5bp/web_performance/pre-compressed_content_brotli.conf" 99 | disable "h5bp/web_performance/pre-compressed_content_gzip.conf" 100 | enable "h5bp/web_performance/no_etags.conf" 101 | enable "h5bp/web_performance/cache_expiration.conf" 102 | disable "h5bp/web_performance/cache-control.conf" 103 | disable "h5bp/web_performance/content_transformation.conf" 104 | disable "h5bp/web_performance/file_concatenation.conf" 105 | disable "h5bp/web_performance/filename-based_cache_busting.conf" 106 | -------------------------------------------------------------------------------- /dist/.htaccess: -------------------------------------------------------------------------------- 1 | # Apache Server Configs v6.0.0 | MIT License 2 | # https://github.com/h5bp/server-configs-apache 3 | 4 | # (!) Using `.htaccess` files slows down Apache, therefore, if you have 5 | # access to the main server configuration file (which is usually 6 | # called `httpd.conf`), you should add this logic there. 7 | # 8 | # https://httpd.apache.org/docs/current/howto/htaccess.html 9 | 10 | # ###################################################################### 11 | # # CROSS-ORIGIN # 12 | # ###################################################################### 13 | 14 | # ---------------------------------------------------------------------- 15 | # | Cross-origin requests | 16 | # ---------------------------------------------------------------------- 17 | 18 | # Allow cross-origin requests. 19 | # 20 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS 21 | # https://enable-cors.org/ 22 | # https://www.w3.org/TR/cors/ 23 | 24 | # (!) Do not use this without understanding the consequences. 25 | # This will permit access from any other website. 26 | # Instead of using this file, consider using a specific rule such as 27 | # allowing access based on (sub)domain: 28 | # 29 | # Header set Access-Control-Allow-Origin "subdomain.example.com" 30 | # 31 | # (1) When `Access-Control-Allow-Origin` points to a specific rule rather 32 | # than `*`, then `Vary: Origin` should be sent along with the response. 33 | 34 | # 35 | # Header set Access-Control-Allow-Origin "*" 36 | 37 | # # (1) 38 | # # Header append Vary Origin 39 | # 40 | 41 | # ---------------------------------------------------------------------- 42 | # | Cross-origin images | 43 | # ---------------------------------------------------------------------- 44 | 45 | # Send the CORS header for images when browsers request it. 46 | # 47 | # https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image 48 | # https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html 49 | 50 | 51 | 52 | 53 | SetEnvIf Origin ":" IS_CORS 54 | Header set Access-Control-Allow-Origin "*" env=IS_CORS 55 | 56 | 57 | 58 | 59 | # ---------------------------------------------------------------------- 60 | # | Cross-origin web fonts | 61 | # ---------------------------------------------------------------------- 62 | 63 | # Allow cross-origin access to web fonts. 64 | # 65 | # https://developers.google.com/fonts/docs/troubleshooting 66 | 67 | 68 | 69 | Header set Access-Control-Allow-Origin "*" 70 | 71 | 72 | 73 | # ---------------------------------------------------------------------- 74 | # | Cross-origin resource timing | 75 | # ---------------------------------------------------------------------- 76 | 77 | # Allow cross-origin access to the timing information for all resources. 78 | # 79 | # If a resource isn't served with a `Timing-Allow-Origin` header that would 80 | # allow its timing information to be shared with the document, some of the 81 | # attributes of the `PerformanceResourceTiming` object will be set to zero. 82 | # 83 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin 84 | # https://www.w3.org/TR/resource-timing/ 85 | # https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/ 86 | 87 | # 88 | # Header set Timing-Allow-Origin: "*" 89 | # 90 | 91 | # ###################################################################### 92 | # # ERRORS # 93 | # ###################################################################### 94 | 95 | # ---------------------------------------------------------------------- 96 | # | Custom error messages/pages | 97 | # ---------------------------------------------------------------------- 98 | 99 | # Customize what Apache returns to the client in case of an error. 100 | # 101 | # https://httpd.apache.org/docs/current/mod/core.html#errordocument 102 | 103 | # ErrorDocument 404 /404.html 104 | 105 | # ---------------------------------------------------------------------- 106 | # | Error prevention | 107 | # ---------------------------------------------------------------------- 108 | 109 | # Disable the pattern matching based on filenames. 110 | # 111 | # This setting prevents Apache from returning a 404 error as the result of a 112 | # rewrite when the directory with the same name does not exist. 113 | # 114 | # https://httpd.apache.org/docs/current/content-negotiation.html#multiviews 115 | 116 | Options -MultiViews 117 | 118 | # ###################################################################### 119 | # # MEDIA TYPES AND CHARACTER ENCODINGS # 120 | # ###################################################################### 121 | 122 | # ---------------------------------------------------------------------- 123 | # | Media types | 124 | # ---------------------------------------------------------------------- 125 | 126 | # Serve resources with the proper media types (f.k.a. MIME types). 127 | # 128 | # https://www.iana.org/assignments/media-types/media-types.xhtml 129 | # https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype 130 | 131 | 132 | 133 | # Data interchange 134 | 135 | AddType application/atom+xml atom 136 | AddType application/json json map topojson 137 | AddType application/ld+json jsonld 138 | AddType application/rss+xml rss 139 | AddType application/geo+json geojson 140 | AddType application/rdf+xml rdf 141 | AddType application/xml xml 142 | 143 | 144 | # JavaScript 145 | 146 | # Servers should use text/javascript for JavaScript resources. 147 | # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages 148 | 149 | AddType text/javascript js mjs 150 | 151 | 152 | # Manifest files 153 | 154 | AddType application/manifest+json webmanifest 155 | AddType application/x-web-app-manifest+json webapp 156 | AddType text/cache-manifest appcache 157 | 158 | 159 | # Media files 160 | 161 | AddType audio/mp4 f4a f4b m4a 162 | AddType audio/ogg oga ogg opus 163 | AddType image/avif avif avifs 164 | AddType image/bmp bmp 165 | AddType image/jxl jxl 166 | AddType image/svg+xml svg svgz 167 | AddType image/webp webp 168 | AddType video/mp4 f4v f4p m4v mp4 169 | AddType video/ogg ogv 170 | AddType video/webm webm 171 | AddType video/x-flv flv 172 | 173 | # Serving `.ico` image files with a different media type prevents 174 | # Internet Explorer from displaying them as images: 175 | # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee 176 | 177 | AddType image/x-icon cur ico 178 | 179 | 180 | # WebAssembly 181 | 182 | AddType application/wasm wasm 183 | 184 | 185 | # Web fonts 186 | 187 | AddType font/woff woff 188 | AddType font/woff2 woff2 189 | AddType application/vnd.ms-fontobject eot 190 | AddType font/ttf ttf 191 | AddType font/collection ttc 192 | AddType font/otf otf 193 | 194 | 195 | # Other 196 | 197 | AddType application/octet-stream safariextz 198 | AddType application/x-bb-appworld bbaw 199 | AddType application/x-chrome-extension crx 200 | AddType application/x-opera-extension oex 201 | AddType application/x-xpinstall xpi 202 | AddType text/calendar ics 203 | AddType text/markdown markdown md 204 | AddType text/vcard vcard vcf 205 | AddType text/vnd.rim.location.xloc xloc 206 | AddType text/vtt vtt 207 | AddType text/x-component htc 208 | 209 | 210 | 211 | # ---------------------------------------------------------------------- 212 | # | Character encodings | 213 | # ---------------------------------------------------------------------- 214 | 215 | # Serve all resources labeled as `text/html` or `text/plain` with the media type 216 | # `charset` parameter set to `UTF-8`. 217 | # 218 | # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset 219 | 220 | AddDefaultCharset utf-8 221 | 222 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 223 | 224 | # Serve the following file types with the media type `charset` parameter set to 225 | # `UTF-8`. 226 | # 227 | # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset 228 | 229 | 230 | AddCharset utf-8 .appcache \ 231 | .bbaw \ 232 | .css \ 233 | .htc \ 234 | .ics \ 235 | .js \ 236 | .json \ 237 | .manifest \ 238 | .map \ 239 | .markdown \ 240 | .md \ 241 | .mjs \ 242 | .topojson \ 243 | .vtt \ 244 | .vcard \ 245 | .vcf \ 246 | .webmanifest \ 247 | .xloc 248 | 249 | 250 | # ###################################################################### 251 | # # REWRITES # 252 | # ###################################################################### 253 | 254 | # ---------------------------------------------------------------------- 255 | # | Rewrite engine | 256 | # ---------------------------------------------------------------------- 257 | 258 | # (1) Turn on the rewrite engine (this is necessary in order for the 259 | # `RewriteRule` directives to work). 260 | # 261 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine 262 | # 263 | # (2) Enable the `FollowSymLinks` option if it isn't already. 264 | # 265 | # https://httpd.apache.org/docs/current/mod/core.html#options 266 | # 267 | # (3) If your web host doesn't allow the `FollowSymlinks` option, you need to 268 | # comment it out or remove it, and then uncomment the 269 | # `Options +SymLinksIfOwnerMatch` line (4), but be aware of the performance 270 | # impact. 271 | # 272 | # https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks 273 | # 274 | # (4) Some cloud hosting services will require you set `RewriteBase`. 275 | # 276 | # https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site 277 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase 278 | # 279 | # (5) Depending on how your server is set up, you may also need to use the 280 | # `RewriteOptions` directive to enable some options for the rewrite engine. 281 | # 282 | # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions 283 | 284 | 285 | 286 | # (1) 287 | RewriteEngine On 288 | 289 | # (2) 290 | Options +FollowSymlinks 291 | 292 | # (3) 293 | # Options +SymLinksIfOwnerMatch 294 | 295 | # (4) 296 | # RewriteBase / 297 | 298 | # (5) 299 | # RewriteOptions 300 | 301 | 302 | 303 | # ---------------------------------------------------------------------- 304 | # | Forcing `https://` | 305 | # ---------------------------------------------------------------------- 306 | 307 | # Redirect from the `http://` to the `https://` version of the URL. 308 | # 309 | # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS 310 | 311 | # (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot method it 312 | # will fail to validate the certificate if validation requests are 313 | # redirected to HTTPS. Turn on the condition(s) you need. 314 | # 315 | # https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml 316 | # https://tools.ietf.org/html/draft-ietf-acme-acme-12 317 | 318 | # 319 | # RewriteEngine On 320 | # RewriteCond %{HTTPS} !=on 321 | # # (1) 322 | # # RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/ 323 | # # RewriteCond %{REQUEST_URI} !^/\.well-known/cpanel-dcv/[\w-]+$ 324 | # # RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$ 325 | # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 326 | # 327 | 328 | # ---------------------------------------------------------------------- 329 | # | Suppressing the `www.` at the beginning of URLs | 330 | # ---------------------------------------------------------------------- 331 | 332 | # Rewrite www.example.com → example.com 333 | 334 | # The same content should never be available under two different URLs, 335 | # especially not with and without `www.` at the beginning. 336 | # This can cause SEO problems (duplicate content), and therefore, you should 337 | # choose one of the alternatives and redirect the other one. 338 | # 339 | # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME! 340 | 341 | # (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the 342 | # appropriate schema automatically (http or https). 343 | # 344 | # (2) The rule assumes by default that both HTTP and HTTPS environments are 345 | # available for redirection. 346 | # If your SSL certificate could not handle one of the domains used during 347 | # redirection, you should turn the condition on. 348 | # 349 | # https://github.com/h5bp/server-configs-apache/issues/52 350 | 351 | 352 | 353 | RewriteEngine On 354 | 355 | # (1) 356 | RewriteCond %{HTTPS} =on 357 | RewriteRule ^ - [E=PROTO:https] 358 | RewriteCond %{HTTPS} !=on 359 | RewriteRule ^ - [E=PROTO:http] 360 | 361 | # (2) 362 | # RewriteCond %{HTTPS} !=on 363 | 364 | RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] 365 | RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L] 366 | 367 | 368 | 369 | # ---------------------------------------------------------------------- 370 | # | Forcing the `www.` at the beginning of URLs | 371 | # ---------------------------------------------------------------------- 372 | 373 | # Rewrite example.com → www.example.com 374 | 375 | # The same content should never be available under two different URLs, 376 | # especially not with and without `www.` at the beginning. 377 | # This can cause SEO problems (duplicate content), and therefore, you should 378 | # choose one of the alternatives and redirect the other one. 379 | # 380 | # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME! 381 | 382 | # (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the 383 | # appropriate schema automatically (http or https). 384 | # 385 | # (2) The rule assumes by default that both HTTP and HTTPS environments are 386 | # available for redirection. 387 | # If your SSL certificate could not handle one of the domains used during 388 | # redirection, you should turn the condition on. 389 | # 390 | # https://github.com/h5bp/server-configs-apache/issues/52 391 | 392 | # Be aware that the following might not be a good idea if you use "real" 393 | # subdomains for certain parts of your website. 394 | 395 | # 396 | 397 | # RewriteEngine On 398 | 399 | # # (1) 400 | # RewriteCond %{HTTPS} =on 401 | # RewriteRule ^ - [E=PROTO:https] 402 | # RewriteCond %{HTTPS} !=on 403 | # RewriteRule ^ - [E=PROTO:http] 404 | 405 | # # (2) 406 | # # RewriteCond %{HTTPS} !=on 407 | 408 | # RewriteCond %{HTTP_HOST} !^www\. [NC] 409 | # RewriteCond %{SERVER_ADDR} !=127.0.0.1 410 | # RewriteCond %{SERVER_ADDR} !=::1 411 | # RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 412 | 413 | # 414 | 415 | # ###################################################################### 416 | # # SECURITY # 417 | # ###################################################################### 418 | 419 | # ---------------------------------------------------------------------- 420 | # | Frame Options | 421 | # ---------------------------------------------------------------------- 422 | 423 | # Protect website against clickjacking. 424 | # 425 | # The example below sends the `X-Frame-Options` response header with the value 426 | # `DENY`, informing browsers not to display the content of the web page in any 427 | # frame. 428 | # 429 | # This might not be the best setting for everyone. You should read about the 430 | # other two possible values the `X-Frame-Options` header field can have: 431 | # `SAMEORIGIN` and `ALLOW-FROM`. 432 | # https://tools.ietf.org/html/rfc7034#section-2.1. 433 | # 434 | # Keep in mind that while you could send the `X-Frame-Options` header for all 435 | # of your website's pages, this has the potential downside that it forbids even 436 | # non-malicious framing of your content. 437 | # 438 | # Nonetheless, you should ensure that you send the `X-Frame-Options` header for 439 | # all pages that allow a user to make a state-changing operation (e.g: pages 440 | # that contain one-click purchase links, checkout or bank-transfer confirmation 441 | # pages, pages that make permanent configuration changes, etc.). 442 | # 443 | # Sending the `X-Frame-Options` header can also protect your website against 444 | # more than just clickjacking attacks. 445 | # https://cure53.de/xfo-clickjacking.pdf. 446 | # 447 | # (!) The `Content-Security-Policy` header has a `frame-ancestors` directive 448 | # which obsoletes this header for supporting browsers. 449 | # 450 | # https://tools.ietf.org/html/rfc7034 451 | # https://owasp.org/www-project-secure-headers/#x-frame-options 452 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 453 | # https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options 454 | 455 | # 456 | # Header always set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i" 457 | # 458 | 459 | # ---------------------------------------------------------------------- 460 | # | Content Security Policy (CSP) | 461 | # ---------------------------------------------------------------------- 462 | 463 | # Mitigate the risk of cross-site scripting and other content-injection 464 | # attacks. 465 | # 466 | # This can be done by setting a Content Security Policy which permits 467 | # trusted sources of content for your website. 468 | # 469 | # There is no policy that fits all websites, you will have to modify the 470 | # `Content-Security-Policy` directives in the example depending on your needs. 471 | # 472 | # The example policy below aims to: 473 | # 474 | # (1) Restrict all fetches by default to the origin of the current website by 475 | # setting the `default-src` directive to `'self'` - which acts as a 476 | # fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive). 477 | # 478 | # This is convenient as you do not have to specify all Fetch directives 479 | # that apply to your site, for example: 480 | # `connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'`, etc. 481 | # 482 | # This restriction also means that you must explicitly define from which 483 | # site(s) your website is allowed to load resources from. 484 | # 485 | # (2) The `` element is not allowed on the website. This is to prevent 486 | # attackers from changing the locations of resources loaded from relative 487 | # URLs. 488 | # 489 | # If you want to use the `` element, then `base-uri 'self'` can be 490 | # used instead. 491 | # 492 | # (3) Form submissions are only allowed from the current website by setting: 493 | # `form-action 'self'`. 494 | # 495 | # (4) Prevents all websites (including your own) from embedding your webpages 496 | # within e.g. the `