diff --git a/htdocs/.htaccess b/htdocs/.htaccess index e598ce3a0..a6e88b8a4 100644 --- a/htdocs/.htaccess +++ b/htdocs/.htaccess @@ -1,4 +1,4 @@ -# Apache Server Configs v1.1.0 | MIT License +# Apache Server Configs v2.0.0 | MIT License # https://github.com/h5bp/server-configs-apache # (!) Using `.htaccess` files slows down Apache, therefore, if you have access @@ -32,7 +32,7 @@ - + SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS @@ -46,7 +46,7 @@ # Allow access from all domains for web fonts - + Header set Access-Control-Allow-Origin "*" @@ -92,7 +92,7 @@ ErrorDocument 404 /404.html Header set X-UA-Compatible "IE=edge" # `mod_headers` can't match based on the content-type, however, we only # want to send this header for HTML pages and not for the other resources - + Header unset X-UA-Compatible @@ -102,23 +102,13 @@ ErrorDocument 404 /404.html # ------------------------------------------------------------------------------ # Allow cookies to be set from iframes in IE. +# http://msdn.microsoft.com/en-us/library/ms537343.aspx +# http://www.w3.org/TR/2000/CR-P3P-20001215/ # # Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"" # -# ------------------------------------------------------------------------------ -# | Screen flicker | -# ------------------------------------------------------------------------------ - -# Stop screen flicker in IE on CSS rollovers (this only works in -# combination with the `ExpiresByType` directives for images from below). - -# BrowserMatch "MSIE" brokenvary=1 -# BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1 -# BrowserMatch "Opera" !brokenvary -# SetEnvIf brokenvary 1 force-no-vary - # ############################################################################## # # MIME TYPES AND ENCODING # @@ -141,7 +131,7 @@ ErrorDocument 404 /404.html AddType application/json json # Video - AddType video/mp4 mp4 m4v f4v f4p + AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv AddType video/webm webm AddType video/x-flv flv @@ -158,19 +148,18 @@ ErrorDocument 404 /404.html # Make SVGZ fonts work on iPad: # https://twitter.com/FontSquirrel/status/14855840545 - AddType image/svg+xml svg svgz + AddType image/svg+xml svgz AddEncoding gzip svgz # Other AddType application/octet-stream safariextz AddType application/x-chrome-extension crx AddType application/x-opera-extension oex - AddType application/x-shockwave-flash swf AddType application/x-web-app-manifest+json webapp AddType application/x-xpinstall xpi AddType application/xml atom rdf rss xml AddType image/webp webp - AddType image/x-icon ico + AddType image/x-icon cur AddType text/cache-manifest appcache manifest AddType text/vtt vtt AddType text/x-component htc @@ -274,6 +263,43 @@ AddDefaultCharset utf-8 # # SECURITY # # ############################################################################## +# ------------------------------------------------------------------------------ +# | Clickjacking | +# ------------------------------------------------------------------------------ + +# Protect web site against clickjacking. + +# The example below sends the `X-Frame-Options` response header with the value +# `DENY`, informing browsers not to display the web page content in any frame. + +# This might not be the best setting for everyone. You should read about the +# other two possible values for `X-Frame-Options`: `SAMEORIGIN` and `ALLOW-FROM` +# http://tools.ietf.org/html/rfc7034#section-2.1. + +# Keep in mind that while you could send the `X-Frame-Options` header for all +# of your site’s pages, this has the potential downside that it forbids even +# non-malicious framing of your content (e.g.: when users visit your site using +# a Google Image Search results page). + +# Nonetheless, you should ensure that you send the `X-Frame-Options` header for +# all pages that allow a user to make a state changing operation (e.g: pages +# that contain one-click purchase links, checkout or bank-transfer confirmation +# pages, pages that make permanent configuration changes, etc.). + +# Sending the `X-Frame-Options` header can also protect your web site against +# more than just clickjacking attacks: https://cure53.de/xfo-clickjacking.pdf. + +# http://tools.ietf.org/html/rfc7034 +# http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx +# https://www.owasp.org/index.php/Clickjacking + +# +# Header set X-Frame-Options "SAMEORIGIN" +# +# Header unset X-Frame-Options +# +# + # ------------------------------------------------------------------------------ # | Content Security Policy (CSP) | # ------------------------------------------------------------------------------ @@ -286,13 +312,14 @@ AddDefaultCharset utf-8 # site's origin (no inline scripts, no CDN, etc). This almost certainly won't # work as-is for your site! -# To get all the details you'll need to craft a reasonable policy for your site, -# read: http://html5rocks.com/en/tutorials/security/content-security-policy (or -# see the specification: http://w3.org/TR/CSP). +# For more details on how to craft a reasonable policy for your site, read: +# http://html5rocks.com/en/tutorials/security/content-security-policy (or the +# specification: http://w3.org/TR/CSP). Also, to make things easier, you can +# use an online CSP header generator such as: http://cspisawesome.com/. # # Header set Content-Security-Policy "script-src 'self'; object-src 'self'" -# +# # Header unset Content-Security-Policy # # @@ -328,11 +355,80 @@ AddDefaultCharset utf-8 # danger when anyone has access to them. - Order allow,deny - Deny from all - Satisfy All + + # Apache < 2.3 + + Order allow,deny + Deny from all + Satisfy All + + + # Apache ≥ 2.3 + + Require all denied + + +# ------------------------------------------------------------------------------ +# | Reducing MIME-type security risks | +# ------------------------------------------------------------------------------ + +# Prevent some browsers from MIME-sniffing the response. + +# This reduces exposure to drive-by download attacks and should be enable +# especially if the web server is serving user uploaded content, content +# that could potentially be treated by the browser as executable. + +# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx +# http://msdn.microsoft.com/en-us/library/ie/gg622941.aspx +# http://mimesniff.spec.whatwg.org/ + +# +# Header set X-Content-Type-Options "nosniff" +# + +# ------------------------------------------------------------------------------ +# | Reflected Cross-Site Scripting (XSS) attacks | +# ------------------------------------------------------------------------------ + +# (1) Try to re-enable the Cross-Site Scripting (XSS) filter built into the +# most recent web browsers. +# +# The filter is usually enabled by default, but in some cases it may be +# disabled by the user. However, in IE for example, it can be re-enabled +# just by sending the `X-XSS-Protection` header with the value of `1`. +# +# (2) Prevent web browsers from rendering the web page if a potential reflected +# (a.k.a non-persistent) XSS attack is detected by the filter. +# +# By default, if the filter is enabled and browsers detect a reflected +# XSS attack, they will attempt to block the attack by making the smallest +# possible modifications to the returned web page. +# +# Unfortunately, in some browsers (e.g.: IE), this default behavior may +# allow the XSS filter to be exploited, thereby, it's better to tell +# browsers to prevent the rendering of the page altogether, instead of +# attempting to modify it. +# +# http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities +# +# IMPORTANT: Do not rely on the XSS filter to prevent XSS attacks! Ensure that +# you are taking all possible measures to prevent XSS attacks, the most obvious +# being: validating and sanitizing your site's inputs. + +# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx +# http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx +# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 + +# +# # (1) (2) +# Header set X-XSS-Protection "1; mode=block" +# +# Header unset X-XSS-Protection +# +# + # ------------------------------------------------------------------------------ # | Secure Sockets Layer (SSL) | # ------------------------------------------------------------------------------ @@ -470,7 +566,7 @@ FileETag None ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" - # Favicon (cannot be renamed!) + # Favicon (cannot be renamed!) and cursor images ExpiresByType image/x-icon "access plus 1 week" # HTML components (HTCs)