diff --git a/htdocs/.htaccess b/htdocs/.htaccess index c81d1e5b4..53e5b3584 100644 --- a/htdocs/.htaccess +++ b/htdocs/.htaccess @@ -1,4 +1,5 @@ # Apache Configuration File +# https://github.com/h5bp/server-configs-apache # (!) Using `.htaccess` files slows down Apache, therefore, if you have access # to the main server config file (usually called `httpd.conf`), you should add @@ -31,7 +32,7 @@ - + SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS @@ -91,7 +92,7 @@ ErrorDocument 404 /404.html Header set X-UA-Compatible "IE=edge" # `mod_headers` can't match based on the content-type, however, we only # want to send this header for HTML pages and not for the other resources - + Header unset X-UA-Compatible @@ -136,7 +137,7 @@ ErrorDocument 404 /404.html # JavaScript # Normalize to standard type (it's sniffed in IE anyways): # http://tools.ietf.org/html/rfc4329#section-7.2 - AddType application/javascript js jsonp + AddType application/javascript js AddType application/json json # Video @@ -263,6 +264,8 @@ AddDefaultCharset utf-8 # # RewriteCond %{HTTPS} !=on # RewriteCond %{HTTP_HOST} !^www\..+$ [NC] +# RewriteCond %{HTTP_HOST} !=localhost [NC] +# RewriteCond %{HTTP_HOST} !=127.0.0.1 # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # @@ -289,7 +292,7 @@ AddDefaultCharset utf-8 # # Header set Content-Security-Policy "script-src 'self'; object-src 'self'" -# +# # Header unset Content-Security-Policy # # @@ -343,19 +346,25 @@ AddDefaultCharset utf-8 # RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L] # -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# ------------------------------------------------------------------------------ +# | HTTP Strict Transport Security (HSTS) | +# ------------------------------------------------------------------------------ # Force client-side SSL redirection. -# If a user types "example.com" in his browser, the above rule will redirect him -# to the secure version of the site. That still leaves a window of opportunity -# (the initial HTTP connection) for an attacker to downgrade or redirect the -# request. The following header ensures that browser will ONLY connect to your -# server via HTTPS, regardless of what the users type in the address bar. +# If a user types "example.com" in his browser, the above rule will redirect +# him to the secure version of the site. That still leaves a window of oppor- +# tunity (the initial HTTP connection) for an attacker to downgrade or redirect +# the request. The following header ensures that browser will ONLY connect to +# your server via HTTPS, regardless of what the users type in the address bar. +# http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1 # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/ +# (!) Remove the `includeSubDomains` optional directive if the subdomains are +# not using HTTPS. + # -# Header set Strict-Transport-Security max-age=16070400; +# Header set Strict-Transport-Security "max-age=16070400; includeSubDomains" # # ------------------------------------------------------------------------------ @@ -512,7 +521,6 @@ FileETag None # # RewriteCond %{REQUEST_FILENAME} !-f -# RewriteCond %{REQUEST_FILENAME} !-d # RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L] #