1 |
# Apache configuration file |
2 |
# httpd.apache.org/docs/2.2/mod/quickreference.html |
3 |
|
4 |
# Note .htaccess files are an overhead, this logic should be in your Apache |
5 |
# config if possible: httpd.apache.org/docs/2.2/howto/htaccess.html |
6 |
|
7 |
# Techniques in here adapted from all over, including: |
8 |
# Kroc Camen: camendesign.com/.htaccess |
9 |
# perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/ |
10 |
# Sample .htaccess file of CMS MODx: modxcms.com |
11 |
|
12 |
|
13 |
# ---------------------------------------------------------------------- |
14 |
# Better website experience for IE users |
15 |
# ---------------------------------------------------------------------- |
16 |
|
17 |
# Force the latest IE version, in various cases when it may fall back to IE7 mode |
18 |
# github.com/rails/rails/commit/123eb25#commitcomment-118920 |
19 |
# Use ChromeFrame if it's installed for a better experience for the poor IE folk |
20 |
|
21 |
<IfModule mod_headers.c> |
22 |
Header set X-UA-Compatible "IE=Edge,chrome=1" |
23 |
# mod_headers can't match by content-type, but we don't want to send this header on *everything*... |
24 |
<FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" > |
25 |
Header unset X-UA-Compatible |
26 |
</FilesMatch> |
27 |
</IfModule> |
28 |
|
29 |
|
30 |
# ---------------------------------------------------------------------- |
31 |
# Cross-domain AJAX requests |
32 |
# ---------------------------------------------------------------------- |
33 |
|
34 |
# Serve cross-domain Ajax requests, disabled by default. |
35 |
# enable-cors.org |
36 |
# code.google.com/p/html5security/wiki/CrossOriginRequestSecurity |
37 |
|
38 |
# <IfModule mod_headers.c> |
39 |
# Header set Access-Control-Allow-Origin "*" |
40 |
# </IfModule> |
41 |
|
42 |
|
43 |
# ---------------------------------------------------------------------- |
44 |
# CORS-enabled images (@crossorigin) |
45 |
# ---------------------------------------------------------------------- |
46 |
|
47 |
# Send CORS headers if browsers request them; enabled by default for images. |
48 |
# developer.mozilla.org/en/CORS_Enabled_Image |
49 |
# blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html |
50 |
# hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/ |
51 |
# wiki.mozilla.org/Security/Reviews/crossoriginAttribute |
52 |
|
53 |
<IfModule mod_setenvif.c> |
54 |
<IfModule mod_headers.c> |
55 |
# mod_headers, y u no match by Content-Type?! |
56 |
<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$"> |
57 |
SetEnvIf Origin ":" IS_CORS |
58 |
Header set Access-Control-Allow-Origin "*" env=IS_CORS |
59 |
</FilesMatch> |
60 |
</IfModule> |
61 |
</IfModule> |
62 |
|
63 |
|
64 |
# ---------------------------------------------------------------------- |
65 |
# Webfont access |
66 |
# ---------------------------------------------------------------------- |
67 |
|
68 |
# Allow access from all domains for webfonts. |
69 |
# Alternatively you could only whitelist your |
70 |
# subdomains like "subdomain.example.com". |
71 |
|
72 |
<IfModule mod_headers.c> |
73 |
<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$"> |
74 |
Header set Access-Control-Allow-Origin "*" |
75 |
</FilesMatch> |
76 |
</IfModule> |
77 |
|
78 |
|
79 |
# ---------------------------------------------------------------------- |
80 |
# Proper MIME type for all files |
81 |
# ---------------------------------------------------------------------- |
82 |
|
83 |
# JavaScript |
84 |
# Normalize to standard type (it's sniffed in IE anyways) |
85 |
# tools.ietf.org/html/rfc4329#section-7.2 |
86 |
AddType application/javascript js jsonp |
87 |
AddType application/json json |
88 |
|
89 |
# Audio |
90 |
AddType audio/ogg oga ogg |
91 |
AddType audio/mp4 m4a f4a f4b |
92 |
|
93 |
# Video |
94 |
AddType video/ogg ogv |
95 |
AddType video/mp4 mp4 m4v f4v f4p |
96 |
AddType video/webm webm |
97 |
AddType video/x-flv flv |
98 |
|
99 |
# SVG |
100 |
# Required for svg webfonts on iPad |
101 |
# twitter.com/FontSquirrel/status/14855840545 |
102 |
AddType image/svg+xml svg svgz |
103 |
AddEncoding gzip svgz |
104 |
|
105 |
# Webfonts |
106 |
AddType application/vnd.ms-fontobject eot |
107 |
AddType application/x-font-ttf ttf ttc |
108 |
AddType font/opentype otf |
109 |
AddType application/x-font-woff woff |
110 |
|
111 |
# Assorted types |
112 |
AddType image/x-icon ico |
113 |
AddType image/webp webp |
114 |
AddType text/cache-manifest appcache manifest |
115 |
AddType text/x-component htc |
116 |
AddType application/xml rss atom xml rdf |
117 |
AddType application/x-chrome-extension crx |
118 |
AddType application/x-opera-extension oex |
119 |
AddType application/x-xpinstall xpi |
120 |
AddType application/octet-stream safariextz |
121 |
AddType application/x-web-app-manifest+json webapp |
122 |
AddType text/x-vcard vcf |
123 |
AddType application/x-shockwave-flash swf |
124 |
AddType text/vtt vtt |
125 |
|
126 |
|
127 |
# ---------------------------------------------------------------------- |
128 |
# Allow concatenation from within specific js and css files |
129 |
# ---------------------------------------------------------------------- |
130 |
|
131 |
# e.g. Inside of script.combined.js you could have |
132 |
# <!--#include file="libs/jquery-1.5.0.min.js" --> |
133 |
# <!--#include file="plugins/jquery.idletimer.js" --> |
134 |
# and they would be included into this single file. |
135 |
|
136 |
# This is not in use in the boilerplate as it stands. You may |
137 |
# choose to use this technique if you do not have a build process. |
138 |
|
139 |
#<FilesMatch "\.combined\.js$"> |
140 |
# Options +Includes |
141 |
# AddOutputFilterByType INCLUDES application/javascript application/json |
142 |
# SetOutputFilter INCLUDES |
143 |
#</FilesMatch> |
144 |
|
145 |
#<FilesMatch "\.combined\.css$"> |
146 |
# Options +Includes |
147 |
# AddOutputFilterByType INCLUDES text/css |
148 |
# SetOutputFilter INCLUDES |
149 |
#</FilesMatch> |
150 |
|
151 |
|
152 |
# ---------------------------------------------------------------------- |
153 |
# Gzip compression |
154 |
# ---------------------------------------------------------------------- |
155 |
|
156 |
<IfModule mod_deflate.c> |
157 |
|
158 |
# Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/ |
159 |
<IfModule mod_setenvif.c> |
160 |
<IfModule mod_headers.c> |
161 |
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding |
162 |
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding |
163 |
</IfModule> |
164 |
</IfModule> |
165 |
|
166 |
# Compress all output labeled with one of the following MIME-types |
167 |
<IfModule mod_filter.c> |
168 |
AddOutputFilterByType DEFLATE application/atom+xml \ |
169 |
application/javascript \ |
170 |
application/json \ |
171 |
application/rss+xml \ |
172 |
application/vnd.ms-fontobject \ |
173 |
application/x-font-ttf \ |
174 |
application/xhtml+xml \ |
175 |
application/xml \ |
176 |
font/opentype \ |
177 |
image/svg+xml \ |
178 |
image/x-icon \ |
179 |
text/css \ |
180 |
text/html \ |
181 |
text/plain \ |
182 |
text/x-component \ |
183 |
text/xml |
184 |
</IfModule> |
185 |
|
186 |
</IfModule> |
187 |
|
188 |
|
189 |
# ---------------------------------------------------------------------- |
190 |
# Expires headers (for better cache control) |
191 |
# ---------------------------------------------------------------------- |
192 |
|
193 |
# These are pretty far-future expires headers. |
194 |
# They assume you control versioning with filename-based cache busting |
195 |
# Additionally, consider that outdated proxies may miscache |
196 |
# www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/ |
197 |
|
198 |
# If you don't use filenames to version, lower the CSS and JS to something like |
199 |
# "access plus 1 week". |
200 |
|
201 |
<IfModule mod_expires.c> |
202 |
ExpiresActive on |
203 |
|
204 |
# Perhaps better to whitelist expires rules? Perhaps. |
205 |
ExpiresDefault "access plus 1 month" |
206 |
|
207 |
# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5) |
208 |
ExpiresByType text/cache-manifest "access plus 0 seconds" |
209 |
|
210 |
# Your document html |
211 |
ExpiresByType text/html "access plus 0 seconds" |
212 |
|
213 |
# Data |
214 |
ExpiresByType text/xml "access plus 0 seconds" |
215 |
ExpiresByType application/xml "access plus 0 seconds" |
216 |
ExpiresByType application/json "access plus 0 seconds" |
217 |
|
218 |
# Feed |
219 |
ExpiresByType application/rss+xml "access plus 1 hour" |
220 |
ExpiresByType application/atom+xml "access plus 1 hour" |
221 |
|
222 |
# Favicon (cannot be renamed) |
223 |
ExpiresByType image/x-icon "access plus 1 week" |
224 |
|
225 |
# Media: images, video, audio |
226 |
ExpiresByType image/gif "access plus 1 month" |
227 |
ExpiresByType image/png "access plus 1 month" |
228 |
ExpiresByType image/jpeg "access plus 1 month" |
229 |
ExpiresByType video/ogg "access plus 1 month" |
230 |
ExpiresByType audio/ogg "access plus 1 month" |
231 |
ExpiresByType video/mp4 "access plus 1 month" |
232 |
ExpiresByType video/webm "access plus 1 month" |
233 |
|
234 |
# HTC files (css3pie) |
235 |
ExpiresByType text/x-component "access plus 1 month" |
236 |
|
237 |
# Webfonts |
238 |
ExpiresByType application/x-font-ttf "access plus 1 month" |
239 |
ExpiresByType font/opentype "access plus 1 month" |
240 |
ExpiresByType application/x-font-woff "access plus 1 month" |
241 |
ExpiresByType image/svg+xml "access plus 1 month" |
242 |
ExpiresByType application/vnd.ms-fontobject "access plus 1 month" |
243 |
|
244 |
# CSS and JavaScript |
245 |
ExpiresByType text/css "access plus 1 year" |
246 |
ExpiresByType application/javascript "access plus 1 year" |
247 |
|
248 |
</IfModule> |
249 |
|
250 |
|
251 |
# ---------------------------------------------------------------------- |
252 |
# Prevent mobile network providers from modifying your site |
253 |
# ---------------------------------------------------------------------- |
254 |
|
255 |
# The following header prevents modification of your code over 3G on some |
256 |
# European providers. |
257 |
# This is the official 'bypass' suggested by O2 in the UK. |
258 |
|
259 |
# <IfModule mod_headers.c> |
260 |
# Header set Cache-Control "no-transform" |
261 |
# </IfModule> |
262 |
|
263 |
|
264 |
# ---------------------------------------------------------------------- |
265 |
# ETag removal |
266 |
# ---------------------------------------------------------------------- |
267 |
|
268 |
# FileETag None is not enough for every server. |
269 |
<IfModule mod_headers.c> |
270 |
Header unset ETag |
271 |
</IfModule> |
272 |
|
273 |
# Since we're sending far-future expires, we don't need ETags for |
274 |
# static content. |
275 |
# developer.yahoo.com/performance/rules.html#etags |
276 |
FileETag None |
277 |
|
278 |
|
279 |
# ---------------------------------------------------------------------- |
280 |
# Stop screen flicker in IE on CSS rollovers |
281 |
# ---------------------------------------------------------------------- |
282 |
|
283 |
# The following directives stop screen flicker in IE on CSS rollovers - in |
284 |
# combination with the "ExpiresByType" rules for images (see above). |
285 |
|
286 |
# BrowserMatch "MSIE" brokenvary=1 |
287 |
# BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1 |
288 |
# BrowserMatch "Opera" !brokenvary |
289 |
# SetEnvIf brokenvary 1 force-no-vary |
290 |
|
291 |
|
292 |
# ---------------------------------------------------------------------- |
293 |
# Set Keep-Alive Header |
294 |
# ---------------------------------------------------------------------- |
295 |
|
296 |
# Keep-Alive allows the server to send multiple requests through one |
297 |
# TCP-connection. Be aware of possible disadvantages of this setting. Turn on |
298 |
# if you serve a lot of static content. |
299 |
|
300 |
# <IfModule mod_headers.c> |
301 |
# Header set Connection Keep-Alive |
302 |
# </IfModule> |
303 |
|
304 |
|
305 |
# ---------------------------------------------------------------------- |
306 |
# Cookie setting from iframes |
307 |
# ---------------------------------------------------------------------- |
308 |
|
309 |
# Allow cookies to be set from iframes (for IE only) |
310 |
# If needed, specify a path or regex in the Location directive. |
311 |
|
312 |
# <IfModule mod_headers.c> |
313 |
# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"" |
314 |
# </IfModule> |
315 |
|
316 |
|
317 |
# ---------------------------------------------------------------------- |
318 |
# Start rewrite engine |
319 |
# ---------------------------------------------------------------------- |
320 |
|
321 |
# Turning on the rewrite engine is necessary for the following rules and |
322 |
# features. FollowSymLinks must be enabled for this to work. |
323 |
|
324 |
# Some cloud hosting services require RewriteBase to be set: goo.gl/HOcPN |
325 |
# If using the h5bp in a subdirectory, use `RewriteBase /foo` instead where |
326 |
# 'foo' is your directory. |
327 |
|
328 |
# If your web host doesn't allow the FollowSymlinks option, you may need to |
329 |
# comment it out and use `Options +SymLinksOfOwnerMatch`, but be aware of the |
330 |
# performance impact: http://goo.gl/Mluzd |
331 |
|
332 |
<IfModule mod_rewrite.c> |
333 |
Options +FollowSymlinks |
334 |
# Options +SymLinksIfOwnerMatch |
335 |
RewriteEngine On |
336 |
# RewriteBase / |
337 |
</IfModule> |
338 |
|
339 |
|
340 |
# ---------------------------------------------------------------------- |
341 |
# Suppress or force the "www." at the beginning of URLs |
342 |
# ---------------------------------------------------------------------- |
343 |
|
344 |
# The same content should never be available under two different URLs - |
345 |
# especially not with and without "www." at the beginning, since this can cause |
346 |
# SEO problems (duplicate content). That's why you should choose one of the |
347 |
# alternatives and redirect the other one. |
348 |
|
349 |
# By default option 1 (no "www.") is activated. |
350 |
# no-www.org/faq.php?q=class_b |
351 |
|
352 |
# If you'd prefer to use option 2, just comment out all option 1 lines |
353 |
# and uncomment option 2. |
354 |
|
355 |
# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME! |
356 |
|
357 |
# ---------------------------------------------------------------------- |
358 |
|
359 |
# Option 1: |
360 |
# Rewrite "www.example.com -> example.com". |
361 |
|
362 |
<IfModule mod_rewrite.c> |
363 |
RewriteCond %{HTTPS} !=on |
364 |
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] |
365 |
RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] |
366 |
</IfModule> |
367 |
|
368 |
# ---------------------------------------------------------------------- |
369 |
|
370 |
# Option 2: |
371 |
# Rewrite "example.com -> www.example.com". |
372 |
# Be aware that the following rule might not be a good idea if you use "real" |
373 |
# subdomains for certain parts of your website. |
374 |
|
375 |
# <IfModule mod_rewrite.c> |
376 |
# RewriteCond %{HTTPS} !=on |
377 |
# RewriteCond %{HTTP_HOST} !^www\..+$ [NC] |
378 |
# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] |
379 |
# </IfModule> |
380 |
|
381 |
|
382 |
# ---------------------------------------------------------------------- |
383 |
# Built-in filename-based cache busting |
384 |
# ---------------------------------------------------------------------- |
385 |
|
386 |
# If you're not using the build script to manage your filename version revving, |
387 |
# you might want to consider enabling this, which will route requests for |
388 |
# /css/style.20110203.css to /css/style.css |
389 |
|
390 |
# To understand why this is important and a better idea than all.css?v1231, |
391 |
# read: github.com/h5bp/html5-boilerplate/wiki/cachebusting |
392 |
|
393 |
# <IfModule mod_rewrite.c> |
394 |
# RewriteCond %{REQUEST_FILENAME} !-f |
395 |
# RewriteCond %{REQUEST_FILENAME} !-d |
396 |
# RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L] |
397 |
# </IfModule> |
398 |
|
399 |
|
400 |
# ---------------------------------------------------------------------- |
401 |
# Prevent SSL cert warnings |
402 |
# ---------------------------------------------------------------------- |
403 |
|
404 |
# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent |
405 |
# https://www.example.com when your cert only allows https://secure.example.com |
406 |
|
407 |
# <IfModule mod_rewrite.c> |
408 |
# RewriteCond %{SERVER_PORT} !^443 |
409 |
# RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L] |
410 |
# </IfModule> |
411 |
|
412 |
|
413 |
# ---------------------------------------------------------------------- |
414 |
# Prevent 404 errors for non-existing redirected folders |
415 |
# ---------------------------------------------------------------------- |
416 |
|
417 |
# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the |
418 |
# same name does not exist. |
419 |
# webmasterworld.com/apache/3808792.htm |
420 |
|
421 |
Options -MultiViews |
422 |
|
423 |
|
424 |
# ---------------------------------------------------------------------- |
425 |
# Custom 404 page |
426 |
# ---------------------------------------------------------------------- |
427 |
|
428 |
# You can add custom pages to handle 500 or 403 pretty easily, if you like. |
429 |
# If you are hosting your site in subdirectory, adjust this accordingly |
430 |
# e.g. ErrorDocument 404 /subdir/404.html |
431 |
ErrorDocument 404 /404.html |
432 |
|
433 |
|
434 |
# ---------------------------------------------------------------------- |
435 |
# UTF-8 encoding |
436 |
# ---------------------------------------------------------------------- |
437 |
|
438 |
# Use UTF-8 encoding for anything served text/plain or text/html |
439 |
AddDefaultCharset utf-8 |
440 |
|
441 |
# Force UTF-8 for a number of file formats |
442 |
AddCharset utf-8 .atom .css .js .json .rss .vtt .xml |
443 |
|
444 |
|
445 |
# ---------------------------------------------------------------------- |
446 |
# A little more security |
447 |
# ---------------------------------------------------------------------- |
448 |
|
449 |
# To avoid displaying the exact version number of Apache being used, add the |
450 |
# following to httpd.conf (it will not work in .htaccess): |
451 |
# ServerTokens Prod |
452 |
|
453 |
# "-Indexes" will have Apache block users from browsing folders without a |
454 |
# default document Usually you should leave this activated, because you |
455 |
# shouldn't allow everybody to surf through every folder on your server (which |
456 |
# includes rather private places like CMS system folders). |
457 |
<IfModule mod_autoindex.c> |
458 |
Options -Indexes |
459 |
</IfModule> |
460 |
|
461 |
# Block access to "hidden" directories or files whose names begin with a |
462 |
# period. This includes directories used by version control systems such as |
463 |
# Subversion or Git. |
464 |
<IfModule mod_rewrite.c> |
465 |
RewriteCond %{SCRIPT_FILENAME} -d [OR] |
466 |
RewriteCond %{SCRIPT_FILENAME} -f |
467 |
RewriteRule "(^|/)\." - [F] |
468 |
</IfModule> |
469 |
|
470 |
# Block access to backup and source files. These files may be left by some |
471 |
# text/html editors and pose a great security danger, when anyone can access |
472 |
# them. |
473 |
<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$"> |
474 |
Order allow,deny |
475 |
Deny from all |
476 |
Satisfy All |
477 |
</FilesMatch> |
478 |
|
479 |
# If your server is not already configured as such, the following directive |
480 |
# should be uncommented in order to set PHP's register_globals option to OFF. |
481 |
# This closes a major security hole that is abused by most XSS (cross-site |
482 |
# scripting) attacks. For more information: http://php.net/register_globals |
483 |
# |
484 |
# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS: |
485 |
# |
486 |
# Your server does not allow PHP directives to be set via .htaccess. In that |
487 |
# case you must make this change in your php.ini file instead. If you are |
488 |
# using a commercial web host, contact the administrators for assistance in |
489 |
# doing this. Not all servers allow local php.ini files, and they should |
490 |
# include all PHP configurations (not just this one), or you will effectively |
491 |
# reset everything to PHP defaults. Consult www.php.net for more detailed |
492 |
# information about setting PHP directives. |
493 |
|
494 |
# php_flag register_globals Off |
495 |
|
496 |
# Rename session cookie to something else, than PHPSESSID |
497 |
# php_value session.name sid |
498 |
|
499 |
# Disable magic quotes (This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.) |
500 |
# php_flag magic_quotes_gpc Off |
501 |
|
502 |
# Do not show you are using PHP |
503 |
# Note: Move this line to php.ini since it won't work in .htaccess |
504 |
# php_flag expose_php Off |
505 |
|
506 |
# Level of log detail - log all errors |
507 |
# php_value error_reporting -1 |
508 |
|
509 |
# Write errors to log file |
510 |
# php_flag log_errors On |
511 |
|
512 |
# Do not display errors in browser (production - Off, development - On) |
513 |
# php_flag display_errors Off |
514 |
|
515 |
# Do not display startup errors (production - Off, development - On) |
516 |
# php_flag display_startup_errors Off |
517 |
|
518 |
# Format errors in plain text |
519 |
# Note: Leave this setting 'On' for xdebug's var_dump() output |
520 |
# php_flag html_errors Off |
521 |
|
522 |
# Show multiple occurrence of error |
523 |
# php_flag ignore_repeated_errors Off |
524 |
|
525 |
# Show same errors from different sources |
526 |
# php_flag ignore_repeated_source Off |
527 |
|
528 |
# Size limit for error messages |
529 |
# php_value log_errors_max_len 1024 |
530 |
|
531 |
# Don't precede error with string (doesn't accept empty string, use whitespace if you need) |
532 |
# php_value error_prepend_string " " |
533 |
|
534 |
# Don't prepend to error (doesn't accept empty string, use whitespace if you need) |
535 |
# php_value error_append_string " " |
536 |
|
537 |
# Increase cookie security |
538 |
<IfModule php5_module> |
539 |
php_value session.cookie_httponly true |
540 |
</IfModule> |