.htaccess 38 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935
  1. # Apache Server Configs v2.11.0 | MIT License
  2. # https://github.com/h5bp/server-configs-apache
  3. # (!) Using `.htaccess` files slows down Apache, therefore, if you have
  4. # access to the main server configuration file (which is usually called
  5. # `httpd.conf`), you should add this logic there.
  6. #
  7. # https://httpd.apache.org/docs/current/howto/htaccess.html.
  8. # ######################################################################
  9. # # CROSS-ORIGIN #
  10. # ######################################################################
  11. # ----------------------------------------------------------------------
  12. # | Cross-origin requests |
  13. # ----------------------------------------------------------------------
  14. # Allow cross-origin requests.
  15. #
  16. # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  17. # http://enable-cors.org/
  18. # http://www.w3.org/TR/cors/
  19. # <IfModule mod_headers.c>
  20. # Header set Access-Control-Allow-Origin "*"
  21. # </IfModule>
  22. # ----------------------------------------------------------------------
  23. # | Cross-origin images |
  24. # ----------------------------------------------------------------------
  25. # Send the CORS header for images when browsers request it.
  26. #
  27. # https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
  28. # https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
  29. <IfModule mod_setenvif.c>
  30. <IfModule mod_headers.c>
  31. <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
  32. SetEnvIf Origin ":" IS_CORS
  33. Header set Access-Control-Allow-Origin "*" env=IS_CORS
  34. </FilesMatch>
  35. </IfModule>
  36. </IfModule>
  37. # ----------------------------------------------------------------------
  38. # | Cross-origin web fonts |
  39. # ----------------------------------------------------------------------
  40. # Allow cross-origin access to web fonts.
  41. <IfModule mod_headers.c>
  42. <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
  43. Header set Access-Control-Allow-Origin "*"
  44. </FilesMatch>
  45. </IfModule>
  46. # ----------------------------------------------------------------------
  47. # | Cross-origin resource timing |
  48. # ----------------------------------------------------------------------
  49. # Allow cross-origin access to the timing information for all resources.
  50. #
  51. # If a resource isn't served with a `Timing-Allow-Origin` header that
  52. # would allow its timing information to be shared with the document,
  53. # some of the attributes of the `PerformanceResourceTiming` object will
  54. # be set to zero.
  55. #
  56. # http://www.w3.org/TR/resource-timing/
  57. # http://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
  58. # <IfModule mod_headers.c>
  59. # Header set Timing-Allow-Origin: "*"
  60. # </IfModule>
  61. # ######################################################################
  62. # # ERRORS #
  63. # ######################################################################
  64. # ----------------------------------------------------------------------
  65. # | Custom error messages/pages |
  66. # ----------------------------------------------------------------------
  67. # Customize what Apache returns to the client in case of an error.
  68. # https://httpd.apache.org/docs/current/mod/core.html#errordocument
  69. ErrorDocument 404 /404.html
  70. # ----------------------------------------------------------------------
  71. # | Error prevention |
  72. # ----------------------------------------------------------------------
  73. # Disable the pattern matching based on filenames.
  74. #
  75. # This setting prevents Apache from returning a 404 error as the result
  76. # of a rewrite when the directory with the same name does not exist.
  77. #
  78. # https://httpd.apache.org/docs/current/content-negotiation.html#multiviews
  79. Options -MultiViews
  80. # ######################################################################
  81. # # INTERNET EXPLORER #
  82. # ######################################################################
  83. # ----------------------------------------------------------------------
  84. # | Document modes |
  85. # ----------------------------------------------------------------------
  86. # Force Internet Explorer 8/9/10 to render pages in the highest mode
  87. # available in the various cases when it may not.
  88. #
  89. # https://hsivonen.fi/doctype/#ie8
  90. #
  91. # (!) Starting with Internet Explorer 11, document modes are deprecated.
  92. # If your business still relies on older web apps and services that were
  93. # designed for older versions of Internet Explorer, you might want to
  94. # consider enabling `Enterprise Mode` throughout your company.
  95. #
  96. # http://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
  97. # http://blogs.msdn.com/b/ie/archive/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx
  98. <IfModule mod_headers.c>
  99. Header set X-UA-Compatible "IE=edge"
  100. # `mod_headers` cannot match based on the content-type, however,
  101. # the `X-UA-Compatible` response header should be send only for
  102. # HTML documents and not for the other resources.
  103. <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
  104. Header unset X-UA-Compatible
  105. </FilesMatch>
  106. </IfModule>
  107. # ----------------------------------------------------------------------
  108. # | Iframes cookies |
  109. # ----------------------------------------------------------------------
  110. # Allow cookies to be set from iframes in Internet Explorer.
  111. #
  112. # http://msdn.microsoft.com/en-us/library/ms537343.aspx
  113. # http://www.w3.org/TR/2000/CR-P3P-20001215/
  114. # <IfModule mod_headers.c>
  115. # Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
  116. # </IfModule>
  117. # ######################################################################
  118. # # MEDIA TYPES AND CHARACTER ENCODINGS #
  119. # ######################################################################
  120. # ----------------------------------------------------------------------
  121. # | Media types |
  122. # ----------------------------------------------------------------------
  123. # Serve resources with the proper media types (f.k.a. MIME types).
  124. #
  125. # https://www.iana.org/assignments/media-types/media-types.xhtml
  126. # https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
  127. <IfModule mod_mime.c>
  128. # Data interchange
  129. AddType application/json json map topojson
  130. AddType application/ld+json jsonld
  131. AddType application/vnd.geo+json geojson
  132. AddType application/xml atom rdf rss xml
  133. # JavaScript
  134. # Normalize to standard type.
  135. # https://tools.ietf.org/html/rfc4329#section-7.2
  136. AddType application/javascript js
  137. # Manifest files
  138. # If you are providing a web application manifest file (see
  139. # the specification: https://w3c.github.io/manifest/), it is
  140. # recommended that you serve it with the `application/manifest+json`
  141. # media type.
  142. #
  143. # Because the web application manifest file doesn't have its
  144. # own unique file extension, you can set its media type either
  145. # by matching:
  146. #
  147. # 1) the exact location of the file (this can be done using a
  148. # directive such as `<Location>`, but it will NOT work in
  149. # the `.htaccess` file, so you will have to do it in the main
  150. # server configuration file or inside of a `<VirtualHost>`
  151. # container)
  152. #
  153. # e.g.:
  154. #
  155. # <Location "/.well-known/manifest.json">
  156. # AddType application/manifest+json json
  157. # </Location>
  158. #
  159. # 2) the filename (this can be problematic as you will need to
  160. # ensure that you don't have any other file with the same name
  161. # as the one you gave to your web application manifest file)
  162. #
  163. # e.g.:
  164. #
  165. # <Files "manifest.json">
  166. # AddType application/manifest+json json
  167. # </Files>
  168. AddType application/x-web-app-manifest+json webapp
  169. AddType text/cache-manifest appcache manifest
  170. # Media files
  171. AddType audio/mp4 f4a f4b m4a
  172. AddType audio/ogg oga ogg opus
  173. AddType image/bmp bmp
  174. AddType image/webp webp
  175. AddType video/mp4 f4v f4p m4v mp4
  176. AddType video/ogg ogv
  177. AddType video/webm webm
  178. AddType video/x-flv flv
  179. AddType image/svg+xml svg svgz
  180. # Serving `.ico` image files with a different media type
  181. # prevents Internet Explorer from displaying then as images:
  182. # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
  183. AddType image/x-icon cur ico
  184. # Web fonts
  185. AddType application/font-woff woff
  186. AddType application/font-woff2 woff2
  187. AddType application/vnd.ms-fontobject eot
  188. # Browsers usually ignore the font media types and simply sniff
  189. # the bytes to figure out the font type.
  190. # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
  191. #
  192. # However, Blink and WebKit based browsers will show a warning
  193. # in the console if the following font types are served with any
  194. # other media types.
  195. AddType application/x-font-ttf ttc ttf
  196. AddType font/opentype otf
  197. # Other
  198. AddType application/octet-stream safariextz
  199. AddType application/x-bb-appworld bbaw
  200. AddType application/x-chrome-extension crx
  201. AddType application/x-opera-extension oex
  202. AddType application/x-xpinstall xpi
  203. AddType text/vcard vcard vcf
  204. AddType text/vnd.rim.location.xloc xloc
  205. AddType text/vtt vtt
  206. AddType text/x-component htc
  207. </IfModule>
  208. # ----------------------------------------------------------------------
  209. # | Character encodings |
  210. # ----------------------------------------------------------------------
  211. # Serve all resources labeled as `text/html` or `text/plain`
  212. # with the media type `charset` parameter set to `UTF-8`.
  213. #
  214. # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
  215. AddDefaultCharset utf-8
  216. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  217. # Serve the following file types with the media type `charset`
  218. # parameter set to `UTF-8`.
  219. #
  220. # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
  221. <IfModule mod_mime.c>
  222. AddCharset utf-8 .atom \
  223. .bbaw \
  224. .css \
  225. .geojson \
  226. .js \
  227. .json \
  228. .jsonld \
  229. .rdf \
  230. .rss \
  231. .topojson \
  232. .vtt \
  233. .webapp \
  234. .xloc \
  235. .xml
  236. </IfModule>
  237. # ######################################################################
  238. # # REWRITES #
  239. # ######################################################################
  240. # ----------------------------------------------------------------------
  241. # | Rewrite engine |
  242. # ----------------------------------------------------------------------
  243. # (1) Turn on the rewrite engine (this is necessary in order for
  244. # the `RewriteRule` directives to work).
  245. #
  246. # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
  247. #
  248. # (2) Enable the `FollowSymLinks` option if it isn't already.
  249. #
  250. # https://httpd.apache.org/docs/current/mod/core.html#options
  251. #
  252. # (3) If your web host doesn't allow the `FollowSymlinks` option,
  253. # you need to comment it out or remove it, and then uncomment
  254. # the `Options +SymLinksIfOwnerMatch` line (4), but be aware
  255. # of the performance impact.
  256. #
  257. # https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
  258. #
  259. # (4) Some cloud hosting services will require you set `RewriteBase`.
  260. #
  261. # http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
  262. # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
  263. #
  264. # (5) Depending on how your server is set up, you may also need to
  265. # use the `RewriteOptions` directive to enable some options for
  266. # the rewrite engine.
  267. #
  268. # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
  269. <IfModule mod_rewrite.c>
  270. # (1)
  271. RewriteEngine On
  272. # (2)
  273. Options +FollowSymlinks
  274. # (3)
  275. # Options +SymLinksIfOwnerMatch
  276. # (4)
  277. # RewriteBase /
  278. # (5)
  279. # RewriteOptions <options>
  280. </IfModule>
  281. # ----------------------------------------------------------------------
  282. # | Forcing `https://` |
  283. # ----------------------------------------------------------------------
  284. # Redirect from the `http://` to the `https://` version of the URL.
  285. # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
  286. # <IfModule mod_rewrite.c>
  287. # RewriteEngine On
  288. # RewriteCond %{HTTPS} !=on
  289. # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
  290. # </IfModule>
  291. # ----------------------------------------------------------------------
  292. # | Suppressing / Forcing the `www.` at the beginning of URLs |
  293. # ----------------------------------------------------------------------
  294. # The same content should never be available under two different
  295. # URLs, especially not with and without `www.` at the beginning.
  296. # This can cause SEO problems (duplicate content), and therefore,
  297. # you should choose one of the alternatives and redirect the other
  298. # one.
  299. #
  300. # By default `Option 1` (no `www.`) is activated.
  301. # http://no-www.org/faq.php?q=class_b
  302. #
  303. # If you would prefer to use `Option 2`, just comment out all the
  304. # lines from `Option 1` and uncomment the ones from `Option 2`.
  305. #
  306. # (!) NEVER USE BOTH RULES AT THE SAME TIME!
  307. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  308. # Option 1: rewrite www.example.com → example.com
  309. <IfModule mod_rewrite.c>
  310. RewriteEngine On
  311. RewriteCond %{HTTPS} !=on
  312. RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
  313. RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
  314. </IfModule>
  315. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  316. # Option 2: rewrite example.com → www.example.com
  317. #
  318. # Be aware that the following might not be a good idea if you use "real"
  319. # subdomains for certain parts of your website.
  320. # <IfModule mod_rewrite.c>
  321. # RewriteEngine On
  322. # RewriteCond %{HTTPS} !=on
  323. # RewriteCond %{HTTP_HOST} !^www\. [NC]
  324. # RewriteCond %{SERVER_ADDR} !=127.0.0.1
  325. # RewriteCond %{SERVER_ADDR} !=::1
  326. # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
  327. # </IfModule>
  328. # ######################################################################
  329. # # SECURITY #
  330. # ######################################################################
  331. # ----------------------------------------------------------------------
  332. # | Clickjacking |
  333. # ----------------------------------------------------------------------
  334. # Protect website against clickjacking.
  335. #
  336. # The example below sends the `X-Frame-Options` response header with
  337. # the value `DENY`, informing browsers not to display the content of
  338. # the web page in any frame.
  339. #
  340. # This might not be the best setting for everyone. You should read
  341. # about the other two possible values the `X-Frame-Options` header
  342. # field can have: `SAMEORIGIN` and `ALLOW-FROM`.
  343. # https://tools.ietf.org/html/rfc7034#section-2.1.
  344. #
  345. # Keep in mind that while you could send the `X-Frame-Options` header
  346. # for all of your website’s pages, this has the potential downside that
  347. # it forbids even non-malicious framing of your content (e.g.: when
  348. # users visit your website using a Google Image Search results page).
  349. #
  350. # Nonetheless, you should ensure that you send the `X-Frame-Options`
  351. # header for all pages that allow a user to make a state changing
  352. # operation (e.g: pages that contain one-click purchase links, checkout
  353. # or bank-transfer confirmation pages, pages that make permanent
  354. # configuration changes, etc.).
  355. #
  356. # Sending the `X-Frame-Options` header can also protect your website
  357. # against more than just clickjacking attacks:
  358. # https://cure53.de/xfo-clickjacking.pdf.
  359. #
  360. # https://tools.ietf.org/html/rfc7034
  361. # http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
  362. # https://www.owasp.org/index.php/Clickjacking
  363. # <IfModule mod_headers.c>
  364. # Header set X-Frame-Options "DENY"
  365. # # `mod_headers` cannot match based on the content-type, however,
  366. # # the `X-Frame-Options` response header should be send only for
  367. # # HTML documents and not for the other resources.
  368. # <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
  369. # Header unset X-Frame-Options
  370. # </FilesMatch>
  371. # </IfModule>
  372. # ----------------------------------------------------------------------
  373. # | Content Security Policy (CSP) |
  374. # ----------------------------------------------------------------------
  375. # Mitigate the risk of cross-site scripting and other content-injection
  376. # attacks.
  377. #
  378. # This can be done by setting a `Content Security Policy` which
  379. # whitelists trusted sources of content for your website.
  380. #
  381. # The example header below allows ONLY scripts that are loaded from the
  382. # current website's origin (no inline scripts, no CDN, etc). That almost
  383. # certainly won't work as-is for your website!
  384. #
  385. # For more details on how to craft a reasonable policy for your website,
  386. # read: http://www.html5rocks.com/en/tutorials/security/content-security-policy/
  387. # (or the specification: http://www.w3.org/TR/CSP11/). Also, to make
  388. # things easier, you can use an online CSP header generator such as:
  389. # http://cspisawesome.com/.
  390. # <IfModule mod_headers.c>
  391. # Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
  392. # # `mod_headers` cannot match based on the content-type, however,
  393. # # the `Content-Security-Policy` response header should be send
  394. # # only for HTML documents and not for the other resources.
  395. # <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
  396. # Header unset Content-Security-Policy
  397. # </FilesMatch>
  398. # </IfModule>
  399. # ----------------------------------------------------------------------
  400. # | File access |
  401. # ----------------------------------------------------------------------
  402. # Block access to directories without a default document.
  403. #
  404. # You should leave the following uncommented, as you shouldn't allow
  405. # anyone to surf through every directory on your server (which may
  406. # includes rather private places such as the CMS's directories).
  407. <IfModule mod_autoindex.c>
  408. Options -Indexes
  409. </IfModule>
  410. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  411. # Block access to all hidden files and directories with the exception of
  412. # the visible content from within the `/.well-known/` hidden directory.
  413. #
  414. # These types of files usually contain user preferences or the preserved
  415. # state of an utility, and can include rather private places like, for
  416. # example, the `.git` or `.svn` directories.
  417. #
  418. # The `/.well-known/` directory represents the standard (RFC 5785) path
  419. # prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
  420. # `/.well-known/keybase.txt`), and therefore, access to its visible
  421. # content should not be blocked.
  422. #
  423. # https://www.mnot.net/blog/2010/04/07/well-known
  424. # https://tools.ietf.org/html/rfc5785
  425. <IfModule mod_rewrite.c>
  426. RewriteEngine On
  427. RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
  428. RewriteCond %{SCRIPT_FILENAME} -d [OR]
  429. RewriteCond %{SCRIPT_FILENAME} -f
  430. RewriteRule "(^|/)\." - [F]
  431. </IfModule>
  432. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  433. # Block access to files that can expose sensitive information.
  434. #
  435. # By default, block access to backup and source files that may be
  436. # left by some text editors and can pose a security risk when anyone
  437. # has access to them.
  438. #
  439. # http://feross.org/cmsploit/
  440. #
  441. # (!) Update the `<FilesMatch>` regular expression from below to
  442. # include any files that might end up on your production server and
  443. # can expose sensitive information about your website. These files may
  444. # include: configuration files, files that contain metadata about the
  445. # project (e.g.: project dependencies), build scripts, etc..
  446. <FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">
  447. # Apache < 2.3
  448. <IfModule !mod_authz_core.c>
  449. Order allow,deny
  450. Deny from all
  451. Satisfy All
  452. </IfModule>
  453. # Apache ≥ 2.3
  454. <IfModule mod_authz_core.c>
  455. Require all denied
  456. </IfModule>
  457. </FilesMatch>
  458. # ----------------------------------------------------------------------
  459. # | HTTP Strict Transport Security (HSTS) |
  460. # ----------------------------------------------------------------------
  461. # Force client-side SSL redirection.
  462. #
  463. # If a user types `example.com` in their browser, even if the server
  464. # redirects them to the secure version of the website, that still leaves
  465. # a window of opportunity (the initial HTTP connection) for an attacker
  466. # to downgrade or redirect the request.
  467. #
  468. # The following header ensures that browser will ONLY connect to your
  469. # server via HTTPS, regardless of what the users type in the browser's
  470. # address bar.
  471. #
  472. # (!) Remove the `includeSubDomains` optional directive if the website's
  473. # subdomains are not using HTTPS.
  474. #
  475. # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
  476. # https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
  477. # http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitigations-deployment-https.aspx
  478. # <IfModule mod_headers.c>
  479. # Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
  480. # </IfModule>
  481. # ----------------------------------------------------------------------
  482. # | Reducing MIME type security risks |
  483. # ----------------------------------------------------------------------
  484. # Prevent some browsers from MIME-sniffing the response.
  485. #
  486. # This reduces exposure to drive-by download attacks and cross-origin
  487. # data leaks, and should be left uncommented, especially if the server
  488. # is serving user-uploaded content or content that could potentially be
  489. # treated as executable by the browser.
  490. #
  491. # http://www.slideshare.net/hasegawayosuke/owasp-hasegawa
  492. # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
  493. # http://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
  494. # https://mimesniff.spec.whatwg.org/
  495. <IfModule mod_headers.c>
  496. Header set X-Content-Type-Options "nosniff"
  497. </IfModule>
  498. # ----------------------------------------------------------------------
  499. # | Reflected Cross-Site Scripting (XSS) attacks |
  500. # ----------------------------------------------------------------------
  501. # (1) Try to re-enable the cross-site scripting (XSS) filter built
  502. # into most web browsers.
  503. #
  504. # The filter is usually enabled by default, but in some cases it
  505. # may be disabled by the user. However, in Internet Explorer for
  506. # example, it can be re-enabled just by sending the
  507. # `X-XSS-Protection` header with the value of `1`.
  508. #
  509. # (2) Prevent web browsers from rendering the web page if a potential
  510. # reflected (a.k.a non-persistent) XSS attack is detected by the
  511. # filter.
  512. #
  513. # By default, if the filter is enabled and browsers detect a
  514. # reflected XSS attack, they will attempt to block the attack
  515. # by making the smallest possible modifications to the returned
  516. # web page.
  517. #
  518. # Unfortunately, in some browsers (e.g.: Internet Explorer),
  519. # this default behavior may allow the XSS filter to be exploited,
  520. # thereby, it's better to inform browsers to prevent the rendering
  521. # of the page altogether, instead of attempting to modify it.
  522. #
  523. # http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
  524. #
  525. # (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
  526. # you are taking all possible measures to prevent XSS attacks, the
  527. # most obvious being: validating and sanitizing your website's inputs.
  528. #
  529. # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
  530. # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
  531. # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
  532. # <IfModule mod_headers.c>
  533. # # (1) (2)
  534. # Header set X-XSS-Protection "1; mode=block"
  535. # # `mod_headers` cannot match based on the content-type, however,
  536. # # the `X-XSS-Protection` response header should be send only for
  537. # # HTML documents and not for the other resources.
  538. # <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
  539. # Header unset X-XSS-Protection
  540. # </FilesMatch>
  541. # </IfModule>
  542. # ----------------------------------------------------------------------
  543. # | Server software information |
  544. # ----------------------------------------------------------------------
  545. # Prevent Apache from sending in the `Server` response header its
  546. # exact version number, the description of the generic OS-type or
  547. # information about its compiled-in modules.
  548. #
  549. # (!) The `ServerTokens` directive will only work in the main server
  550. # configuration file, so don't try to enable it in the `.htaccess` file!
  551. #
  552. # https://httpd.apache.org/docs/current/mod/core.html#servertokens
  553. # ServerTokens Prod
  554. # ######################################################################
  555. # # WEB PERFORMANCE #
  556. # ######################################################################
  557. # ----------------------------------------------------------------------
  558. # | Compression |
  559. # ----------------------------------------------------------------------
  560. <IfModule mod_deflate.c>
  561. # Force compression for mangled `Accept-Encoding` request headers
  562. # https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
  563. <IfModule mod_setenvif.c>
  564. <IfModule mod_headers.c>
  565. SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
  566. RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
  567. </IfModule>
  568. </IfModule>
  569. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  570. # Compress all output labeled with one of the following media types.
  571. #
  572. # (!) For Apache versions below version 2.3.7 you don't need to
  573. # enable `mod_filter` and can remove the `<IfModule mod_filter.c>`
  574. # and `</IfModule>` lines as `AddOutputFilterByType` is still in
  575. # the core directives.
  576. #
  577. # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
  578. <IfModule mod_filter.c>
  579. AddOutputFilterByType DEFLATE "application/atom+xml" \
  580. "application/javascript" \
  581. "application/json" \
  582. "application/ld+json" \
  583. "application/manifest+json" \
  584. "application/rdf+xml" \
  585. "application/rss+xml" \
  586. "application/schema+json" \
  587. "application/vnd.geo+json" \
  588. "application/vnd.ms-fontobject" \
  589. "application/x-font-ttf" \
  590. "application/x-javascript" \
  591. "application/x-web-app-manifest+json" \
  592. "application/xhtml+xml" \
  593. "application/xml" \
  594. "font/eot" \
  595. "font/opentype" \
  596. "image/bmp" \
  597. "image/svg+xml" \
  598. "image/vnd.microsoft.icon" \
  599. "image/x-icon" \
  600. "text/cache-manifest" \
  601. "text/css" \
  602. "text/html" \
  603. "text/javascript" \
  604. "text/plain" \
  605. "text/vcard" \
  606. "text/vnd.rim.location.xloc" \
  607. "text/vtt" \
  608. "text/x-component" \
  609. "text/x-cross-domain-policy" \
  610. "text/xml"
  611. </IfModule>
  612. # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  613. # Map the following filename extensions to the specified
  614. # encoding type in order to make Apache serve the file types
  615. # with the appropriate `Content-Encoding` response header
  616. # (do note that this will NOT make Apache compress them!).
  617. #
  618. # If these files types would be served without an appropriate
  619. # `Content-Enable` response header, client applications (e.g.:
  620. # browsers) wouldn't know that they first need to uncompress
  621. # the response, and thus, wouldn't be able to understand the
  622. # content.
  623. #
  624. # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
  625. <IfModule mod_mime.c>
  626. AddEncoding gzip svgz
  627. </IfModule>
  628. </IfModule>
  629. # ----------------------------------------------------------------------
  630. # | Content transformation |
  631. # ----------------------------------------------------------------------
  632. # Prevent intermediate caches or proxies (e.g.: such as the ones
  633. # used by mobile network providers) from modifying the website's
  634. # content.
  635. #
  636. # https://tools.ietf.org/html/rfc2616#section-14.9.5
  637. #
  638. # (!) If you are using `mod_pagespeed`, please note that setting
  639. # the `Cache-Control: no-transform` response header will prevent
  640. # `PageSpeed` from rewriting `HTML` files, and, if the
  641. # `ModPagespeedDisableRewriteOnNoTransform` directive isn't set
  642. # to `off`, also from rewriting other resources.
  643. #
  644. # https://developers.google.com/speed/pagespeed/module/configuration#notransform
  645. # <IfModule mod_headers.c>
  646. # Header merge Cache-Control "no-transform"
  647. # </IfModule>
  648. # ----------------------------------------------------------------------
  649. # | ETags |
  650. # ----------------------------------------------------------------------
  651. # Remove `ETags` as resources are sent with far-future expires headers.
  652. #
  653. # https://developer.yahoo.com/performance/rules.html#etags
  654. # https://tools.ietf.org/html/rfc7232#section-2.3
  655. # `FileETag None` doesn't work in all cases.
  656. <IfModule mod_headers.c>
  657. Header unset ETag
  658. </IfModule>
  659. FileETag None
  660. # ----------------------------------------------------------------------
  661. # | Expires headers |
  662. # ----------------------------------------------------------------------
  663. # Serve resources with far-future expires headers.
  664. #
  665. # (!) If you don't control versioning with filename-based
  666. # cache busting, you should consider lowering the cache times
  667. # to something like one week.
  668. #
  669. # https://httpd.apache.org/docs/current/mod/mod_expires.html
  670. <IfModule mod_expires.c>
  671. ExpiresActive on
  672. ExpiresDefault "access plus 1 month"
  673. # CSS
  674. ExpiresByType text/css "access plus 1 year"
  675. # Data interchange
  676. ExpiresByType application/atom+xml "access plus 1 hour"
  677. ExpiresByType application/rdf+xml "access plus 1 hour"
  678. ExpiresByType application/rss+xml "access plus 1 hour"
  679. ExpiresByType application/json "access plus 0 seconds"
  680. ExpiresByType application/ld+json "access plus 0 seconds"
  681. ExpiresByType application/schema+json "access plus 0 seconds"
  682. ExpiresByType application/vnd.geo+json "access plus 0 seconds"
  683. ExpiresByType application/xml "access plus 0 seconds"
  684. ExpiresByType text/xml "access plus 0 seconds"
  685. # Favicon (cannot be renamed!) and cursor images
  686. ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
  687. ExpiresByType image/x-icon "access plus 1 week"
  688. # HTML
  689. ExpiresByType text/html "access plus 0 seconds"
  690. # JavaScript
  691. ExpiresByType application/javascript "access plus 1 year"
  692. ExpiresByType application/x-javascript "access plus 1 year"
  693. ExpiresByType text/javascript "access plus 1 year"
  694. # Manifest files
  695. ExpiresByType application/manifest+json "access plus 1 year"
  696. ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
  697. ExpiresByType text/cache-manifest "access plus 0 seconds"
  698. # Media files
  699. ExpiresByType audio/ogg "access plus 1 month"
  700. ExpiresByType image/bmp "access plus 1 month"
  701. ExpiresByType image/gif "access plus 1 month"
  702. ExpiresByType image/jpeg "access plus 1 month"
  703. ExpiresByType image/png "access plus 1 month"
  704. ExpiresByType image/svg+xml "access plus 1 month"
  705. ExpiresByType video/mp4 "access plus 1 month"
  706. ExpiresByType video/ogg "access plus 1 month"
  707. ExpiresByType video/webm "access plus 1 month"
  708. # Web fonts
  709. # Embedded OpenType (EOT)
  710. ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
  711. ExpiresByType font/eot "access plus 1 month"
  712. # OpenType
  713. ExpiresByType font/opentype "access plus 1 month"
  714. # TrueType
  715. ExpiresByType application/x-font-ttf "access plus 1 month"
  716. # Web Open Font Format (WOFF) 1.0
  717. ExpiresByType application/font-woff "access plus 1 month"
  718. ExpiresByType application/x-font-woff "access plus 1 month"
  719. ExpiresByType font/woff "access plus 1 month"
  720. # Web Open Font Format (WOFF) 2.0
  721. ExpiresByType application/font-woff2 "access plus 1 month"
  722. # Other
  723. ExpiresByType text/x-cross-domain-policy "access plus 1 week"
  724. </IfModule>
  725. # ----------------------------------------------------------------------
  726. # | File concatenation |
  727. # ----------------------------------------------------------------------
  728. # Allow concatenation from within specific files.
  729. #
  730. # e.g.:
  731. #
  732. # If you have the following lines in a file called, for
  733. # example, `main.combined.js`:
  734. #
  735. # <!--#include file="js/jquery.js" -->
  736. # <!--#include file="js/jquery.timer.js" -->
  737. #
  738. # Apache will replace those lines with the content of the
  739. # specified files.
  740. # <IfModule mod_include.c>
  741. # <FilesMatch "\.combined\.js$">
  742. # Options +Includes
  743. # AddOutputFilterByType INCLUDES application/javascript \
  744. # application/x-javascript \
  745. # text/javascript
  746. # SetOutputFilter INCLUDES
  747. # </FilesMatch>
  748. # <FilesMatch "\.combined\.css$">
  749. # Options +Includes
  750. # AddOutputFilterByType INCLUDES text/css
  751. # SetOutputFilter INCLUDES
  752. # </FilesMatch>
  753. # </IfModule>
  754. # ----------------------------------------------------------------------
  755. # | Filename-based cache busting |
  756. # ----------------------------------------------------------------------
  757. # If you're not using a build process to manage your filename version
  758. # revving, you might want to consider enabling the following directives
  759. # to route all requests such as `/style.12345.css` to `/style.css`.
  760. #
  761. # To understand why this is important and even a better solution than
  762. # using something like `*.css?v231`, please see:
  763. # http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
  764. # <IfModule mod_rewrite.c>
  765. # RewriteEngine On
  766. # RewriteCond %{REQUEST_FILENAME} !-f
  767. # RewriteRule ^(.+)\.(\d+)\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp)$ $1.$3 [L]
  768. # </IfModule>