From 5b0a480270d432ee659276fc1476536fbac006f6 Mon Sep 17 00:00:00 2001 From: XhmikosR Date: Mon, 10 Feb 2014 11:38:26 +0200 Subject: [PATCH] Update html5 boilerplate to the latest git. --- htdocs/.htaccess | 232 +++++++++++++++++++++++++---------------------- htdocs/404.html | 92 +++++++++---------- 2 files changed, 170 insertions(+), 154 deletions(-) diff --git a/htdocs/.htaccess b/htdocs/.htaccess index a6e88b8a4..ef40de1c7 100644 --- a/htdocs/.htaccess +++ b/htdocs/.htaccess @@ -1,4 +1,4 @@ -# Apache Server Configs v2.0.0 | MIT License +# Apache Server Configs v2.2.0 | MIT License # https://github.com/h5bp/server-configs-apache # (!) Using `.htaccess` files slows down Apache, therefore, if you have access @@ -13,7 +13,7 @@ # | Cross-domain AJAX requests | # ------------------------------------------------------------------------------ -# Enable cross-origin AJAX requests. +# Allow cross-origin AJAX requests. # http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity # http://enable-cors.org/ @@ -26,7 +26,7 @@ # ------------------------------------------------------------------------------ # Send the CORS header for images when browsers request it. -# https://developer.mozilla.org/en/CORS_Enabled_Image +# https://developer.mozilla.org/en-US/docs/HTML/CORS_Enabled_Image # http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html # http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/ @@ -43,10 +43,10 @@ # | Web fonts access | # ------------------------------------------------------------------------------ -# Allow access from all domains for web fonts +# Allow access to web fonts from all domains. - + Header set Access-Control-Allow-Origin "*" @@ -60,8 +60,8 @@ # | 404 error prevention for non-existing redirected folders | # ------------------------------------------------------------------------------ -# Prevent Apache from returning a 404 error for a rewrite if a directory -# with the same name does not exist. +# Prevent Apache from returning a 404 error as the result of a rewrite +# when the directory with the same name does not exist. # http://httpd.apache.org/docs/current/content-negotiation.html#multiviews # http://www.webmasterworld.com/apache/3808792.htm @@ -71,8 +71,8 @@ Options -MultiViews # | Custom error messages / pages | # ------------------------------------------------------------------------------ -# You can customize what Apache returns to the client in case of an error (see -# http://httpd.apache.org/docs/current/mod/core.html#errordocument), e.g.: +# Customize what Apache returns to the client in case of an error. +# http://httpd.apache.org/docs/current/mod/core.html#errordocument ErrorDocument 404 /404.html @@ -85,14 +85,15 @@ ErrorDocument 404 /404.html # | Better website experience | # ------------------------------------------------------------------------------ -# Force IE to render pages in the highest available mode in the various -# cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf. +# Force Internet Explorer to render pages in the highest available mode +# in the various cases when it may not. +# http://hsivonen.iki.fi/doctype/ie-mode.pdf Header set X-UA-Compatible "IE=edge" - # `mod_headers` can't match based on the content-type, however, we only - # want to send this header for HTML pages and not for the other resources - + # `mod_headers` cannot match based on the content-type, however, this + # header should be send only for HTML pages and not for the other resources + Header unset X-UA-Compatible @@ -101,7 +102,7 @@ ErrorDocument 404 /404.html # | Cookie setting from iframes | # ------------------------------------------------------------------------------ -# Allow cookies to be set from iframes in IE. +# Allow cookies to be set from iframes in Internet Explorer. # http://msdn.microsoft.com/en-us/library/ms537343.aspx # http://www.w3.org/TR/2000/CR-P3P-20001215/ @@ -122,13 +123,16 @@ ErrorDocument 404 /404.html # Audio AddType audio/mp4 m4a f4a f4b - AddType audio/ogg oga ogg + AddType audio/ogg oga ogg opus + + # Data interchange + AddType application/json json map + AddType application/ld+json jsonld # JavaScript - # Normalize to standard type (it's sniffed in IE anyways): + # Normalize to standard type. # http://tools.ietf.org/html/rfc4329#section-7.2 AddType application/javascript js - AddType application/json json # Video AddType video/mp4 f4v f4p m4v mp4 @@ -140,13 +144,17 @@ ErrorDocument 404 /404.html AddType application/font-woff woff AddType application/vnd.ms-fontobject eot - # Browsers usually ignore the font MIME types and sniff the content, - # however, Chrome shows a warning if other MIME types are used for the - # following fonts. + # Browsers usually ignore the font MIME types and simply sniff the bytes + # to figure out the font type. + # http://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern + + # Chrome however, shows a warning if any other MIME types are used for + # the following fonts. + AddType application/x-font-ttf ttc ttf AddType font/opentype otf - # Make SVGZ fonts work on iPad: + # Make SVGZ fonts work on the iPad. # https://twitter.com/FontSquirrel/status/14855840545 AddType image/svg+xml svgz AddEncoding gzip svgz @@ -176,7 +184,7 @@ AddDefaultCharset utf-8 # Force UTF-8 for certain file formats. - AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml + AddCharset utf-8 .atom .css .js .json .jsonld .rss .vtt .webapp .xml @@ -188,14 +196,15 @@ AddDefaultCharset utf-8 # | Rewrite engine | # ------------------------------------------------------------------------------ -# Turning on the rewrite engine and enabling the `FollowSymLinks` option is -# necessary for the following directives to work. +# Turn on the rewrite engine and enable the `FollowSymLinks` option (this is +# necessary in order for the following directives to work). # If your web host doesn't allow the `FollowSymlinks` option, you may need to -# comment it out and use `Options +SymLinksIfOwnerMatch` but, be aware of the -# performance impact: http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks +# comment it out and use `Options +SymLinksIfOwnerMatch`, but be aware of the +# performance impact. +# http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks -# Also, some cloud hosting services require `RewriteBase` to be set: +# Also, some cloud hosting services require `RewriteBase` to be set. # http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-mod-rewrite-not-working-on-my-site @@ -217,19 +226,19 @@ AddDefaultCharset utf-8 # ------------------------------------------------------------------------------ -# | Suppressing / Forcing the "www." at the beginning of URLs | +# | Suppressing / Forcing the `www.` at the beginning of URLs | # ------------------------------------------------------------------------------ -# The same content should never be available under two different URLs especially -# not with and without "www." at the beginning. This can cause SEO problems -# (duplicate content), therefore, you should choose one of the alternatives and -# redirect the other one. +# The same content should never be available under two different URLs, +# especially not with and without `www.` at the beginning. This can cause +# SEO problems (duplicate content), and therefore, you should choose one +# of the alternatives and redirect the other one. -# By default option 1 (no "www.") is activated: +# By default `Option 1` (no `www.`) is activated. # http://no-www.org/faq.php?q=class_b -# If you'd prefer to use option 2, just comment out all the lines from option 1 -# and uncomment the ones from option 2. +# If you would prefer to use `Option 2`, just comment out all the lines +# from `Option 1` and uncomment the ones from `Option 2`. # IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME! @@ -252,9 +261,9 @@ AddDefaultCharset utf-8 # # RewriteCond %{HTTPS} !=on -# RewriteCond %{HTTP_HOST} !^www\..+$ [NC] -# RewriteCond %{HTTP_HOST} !=localhost [NC] -# RewriteCond %{HTTP_HOST} !=127.0.0.1 +# RewriteCond %{HTTP_HOST} !^www\. [NC] +# RewriteCond %{SERVER_ADDR} !=127.0.0.1 +# RewriteCond %{SERVER_ADDR} !=::1 # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # @@ -267,14 +276,14 @@ AddDefaultCharset utf-8 # | Clickjacking | # ------------------------------------------------------------------------------ -# Protect web site against clickjacking. +# Protect website against clickjacking. # The example below sends the `X-Frame-Options` response header with the value # `DENY`, informing browsers not to display the web page content in any frame. # This might not be the best setting for everyone. You should read about the -# other two possible values for `X-Frame-Options`: `SAMEORIGIN` and `ALLOW-FROM` -# http://tools.ietf.org/html/rfc7034#section-2.1. +# other two possible values for `X-Frame-Options`: `SAMEORIGIN` & `ALLOW-FROM`. +# http://tools.ietf.org/html/rfc7034#section-2.1 # Keep in mind that while you could send the `X-Frame-Options` header for all # of your site’s pages, this has the potential downside that it forbids even @@ -286,7 +295,7 @@ AddDefaultCharset utf-8 # that contain one-click purchase links, checkout or bank-transfer confirmation # pages, pages that make permanent configuration changes, etc.). -# Sending the `X-Frame-Options` header can also protect your web site against +# Sending the `X-Frame-Options` header can also protect your website against # more than just clickjacking attacks: https://cure53.de/xfo-clickjacking.pdf. # http://tools.ietf.org/html/rfc7034 @@ -294,9 +303,9 @@ AddDefaultCharset utf-8 # https://www.owasp.org/index.php/Clickjacking # -# Header set X-Frame-Options "SAMEORIGIN" -# -# Header unset X-Frame-Options +# Header set X-Frame-Options "DENY" +# +# Header unset X-Frame-Options # # @@ -304,9 +313,10 @@ AddDefaultCharset utf-8 # | Content Security Policy (CSP) | # ------------------------------------------------------------------------------ -# You can mitigate the risk of cross-site scripting and other content-injection -# attacks by setting a Content Security Policy which whitelists trusted sources -# of content for your site. +# Mitigate the risk of cross-site scripting and other content-injection attacks. + +# This can be done by setting a `Content Security Policy` which whitelists +# trusted sources of content for your website. # The example header below allows ONLY scripts that are loaded from the current # site's origin (no inline scripts, no CDN, etc). This almost certainly won't @@ -318,10 +328,10 @@ AddDefaultCharset utf-8 # use an online CSP header generator such as: http://cspisawesome.com/. # -# Header set Content-Security-Policy "script-src 'self'; object-src 'self'" -# -# Header unset Content-Security-Policy -# +# Header set Content-Security-Policy "script-src 'self'; object-src 'self'" +# +# Header unset Content-Security-Policy +# # # ------------------------------------------------------------------------------ @@ -329,9 +339,9 @@ AddDefaultCharset utf-8 # ------------------------------------------------------------------------------ # Block access to directories without a default document. -# Usually you should leave this uncommented because you shouldn't allow anyone -# to surf through every directory on your server (which may includes rather -# private places like the CMS's directories). +# You should leave the following uncommented, as you shouldn't allow anyone to +# surf through every directory on your server (which may includes rather private +# places such as the CMS's directories). Options -Indexes @@ -350,11 +360,19 @@ AddDefaultCharset utf-8 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Block access to backup and source files. -# These files may be left by some text editors and can pose a great security -# danger when anyone has access to them. +# Block access to files that can expose sensitive information. - +# By default, block access to backup and source files that may be left by some +# text editors and can pose a security risk when anyone has access to them. +# http://feross.org/cmsploit/ + +# IMPORTANT: Update the `` regular expression from below to include +# any files that might end up on your production server and can expose sensitive +# information about your website. These files may include: configuration files, +# files that contain metadata about the project (e.g.: project dependencies), +# build scripts, etc.. + + # Apache < 2.3 @@ -396,8 +414,9 @@ AddDefaultCharset utf-8 # most recent web browsers. # # The filter is usually enabled by default, but in some cases it may be -# disabled by the user. However, in IE for example, it can be re-enabled -# just by sending the `X-XSS-Protection` header with the value of `1`. +# disabled by the user. However, in Internet Explorer for example, it can +# be re-enabled just by sending the `X-XSS-Protection` header with the +# value of `1`. # # (2) Prevent web browsers from rendering the web page if a potential reflected # (a.k.a non-persistent) XSS attack is detected by the filter. @@ -406,25 +425,25 @@ AddDefaultCharset utf-8 # XSS attack, they will attempt to block the attack by making the smallest # possible modifications to the returned web page. # -# Unfortunately, in some browsers (e.g.: IE), this default behavior may -# allow the XSS filter to be exploited, thereby, it's better to tell -# browsers to prevent the rendering of the page altogether, instead of -# attempting to modify it. +# Unfortunately, in some browsers (e.g.: Internet Explorer), this default +# behavior may allow the XSS filter to be exploited, thereby, it's better +# to tell browsers to prevent the rendering of the page altogether, instead +# of attempting to modify it. # # http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities # # IMPORTANT: Do not rely on the XSS filter to prevent XSS attacks! Ensure that # you are taking all possible measures to prevent XSS attacks, the most obvious # being: validating and sanitizing your site's inputs. - +# # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 # -# # (1) (2) +# # (1) (2) # Header set X-XSS-Protection "1; mode=block" -# +# # Header unset X-XSS-Protection # # @@ -433,8 +452,8 @@ AddDefaultCharset utf-8 # | Secure Sockets Layer (SSL) | # ------------------------------------------------------------------------------ -# Rewrite secure requests properly to prevent SSL certificate warnings, e.g.: -# prevent `https://www.example.com` when your certificate only allows +# Rewrite secure requests properly in order to prevent SSL certificate warnings. +# E.g.: prevent `https://www.example.com` when your certificate only allows # `https://secure.example.com`. # @@ -448,16 +467,19 @@ AddDefaultCharset utf-8 # Force client-side SSL redirection. -# If a user types "example.com" in his browser, the above rule will redirect -# him to the secure version of the site. That still leaves a window of oppor- -# tunity (the initial HTTP connection) for an attacker to downgrade or redirect -# the request. The following header ensures that browser will ONLY connect to -# your server via HTTPS, regardless of what the users type in the address bar. +# If a user types `example.com` in his browser, the above rule will redirect +# him to the secure version of the site. That still leaves a window of +# opportunity (the initial HTTP connection) for an attacker to downgrade or +# redirect the request. + +# The following header ensures that browser will ONLY connect to your server +# via HTTPS, regardless of what the users type in the address bar. + # http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1 # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/ -# (!) Remove the `includeSubDomains` optional directive if the subdomains are -# not using HTTPS. +# IMPORTANT: Remove the `includeSubDomains` optional directive if the subdomains +# are not using HTTPS. # # Header set Strict-Transport-Security "max-age=16070400; includeSubDomains" @@ -502,6 +524,7 @@ AddDefaultCharset utf-8 AddOutputFilterByType DEFLATE application/atom+xml \ application/javascript \ application/json \ + application/ld+json \ application/rss+xml \ application/vnd.ms-fontobject \ application/x-font-ttf \ @@ -524,21 +547,21 @@ AddDefaultCharset utf-8 # | Content transformations | # ------------------------------------------------------------------------------ -# Prevent some of the mobile network providers from modifying the content of -# your site: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5. +# Prevent mobile network providers from modifying the website's content. +# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5. # # Header set Cache-Control "no-transform" # # ------------------------------------------------------------------------------ -# | ETag removal | +# | ETags | # ------------------------------------------------------------------------------ -# Since we're sending far-future expires headers (see below), ETags can -# be removed: http://developer.yahoo.com/performance/rules.html#etags. +# Remove `ETags` as resources are sent with far-future expires headers. +# http://developer.yahoo.com/performance/rules.html#etags. -# `FileETag None` is not enough for every server. +# `FileETag None` doesn't work in all cases. Header unset ETag @@ -546,12 +569,13 @@ AddDefaultCharset utf-8 FileETag None # ------------------------------------------------------------------------------ -# | Expires headers (for better cache control) | +# | Expires headers | # ------------------------------------------------------------------------------ -# The following expires headers are set pretty far in the future. If you don't -# control versioning with filename-based cache busting, consider lowering the -# cache time for resources like CSS and JS to something like 1 week. +# The following expires headers are set pretty far in the future. If you +# don't control versioning with filename-based cache busting, consider +# lowering the cache time for resources such as style sheets and JavaScript +# files to something like one week. @@ -563,6 +587,7 @@ FileETag None # Data interchange ExpiresByType application/json "access plus 0 seconds" + ExpiresByType application/ld+json "access plus 0 seconds" ExpiresByType application/xml "access plus 0 seconds" ExpiresByType text/xml "access plus 0 seconds" @@ -617,18 +642,23 @@ FileETag None # # RewriteCond %{REQUEST_FILENAME} !-f -# RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L] +# RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpe?g|gif)$ $1.$3 [L] # # ------------------------------------------------------------------------------ # | File concatenation | # ------------------------------------------------------------------------------ -# Allow concatenation from within specific CSS and JS files, e.g.: -# Inside of `script.combined.js` you could have -# -# -# and they would be included into this single file. +# Allow concatenation from within specific style sheets and JavaScript files. + +# e.g.: +# +# If you have the following content in a file +# +# +# +# +# Apache will replace it with the content from the specified files. # # @@ -642,17 +672,3 @@ FileETag None # SetOutputFilter INCLUDES # # - -# ------------------------------------------------------------------------------ -# | Persistent connections | -# ------------------------------------------------------------------------------ - -# Allow multiple requests to be sent over the same TCP connection: -# http://httpd.apache.org/docs/current/en/mod/core.html#keepalive. - -# Enable if you serve a lot of static content but, be aware of the -# possible disadvantages! - -# -# Header set Connection Keep-Alive -# diff --git a/htdocs/404.html b/htdocs/404.html index 59e14207f..eec1d15a8 100644 --- a/htdocs/404.html +++ b/htdocs/404.html @@ -1,59 +1,59 @@ - - - Cppcheck - Page Not Found - - - - -

Page Not Found

-

Sorry, but the page you were trying to view does not exist.

- + + + +

Page Not Found

+

Sorry, but the page you were trying to view does not exist.

+ - +