summaryrefslogtreecommitdiff
path: root/webapp/vendor/html5-boilerplate-4.3.0/.htaccess
diff options
context:
space:
mode:
Diffstat (limited to 'webapp/vendor/html5-boilerplate-4.3.0/.htaccess')
-rwxr-xr-xwebapp/vendor/html5-boilerplate-4.3.0/.htaccess551
1 files changed, 551 insertions, 0 deletions
diff --git a/webapp/vendor/html5-boilerplate-4.3.0/.htaccess b/webapp/vendor/html5-boilerplate-4.3.0/.htaccess
new file mode 100755
index 0000000..6861ada
--- /dev/null
+++ b/webapp/vendor/html5-boilerplate-4.3.0/.htaccess
@@ -0,0 +1,551 @@
1# Apache Server Configs v1.1.0 | MIT License
2# https://github.com/h5bp/server-configs-apache
3
4# (!) Using `.htaccess` files slows down Apache, therefore, if you have access
5# to the main server config file (usually called `httpd.conf`), you should add
6# this logic there: http://httpd.apache.org/docs/current/howto/htaccess.html.
7
8# ##############################################################################
9# # CROSS-ORIGIN RESOURCE SHARING (CORS) #
10# ##############################################################################
11
12# ------------------------------------------------------------------------------
13# | Cross-domain AJAX requests |
14# ------------------------------------------------------------------------------
15
16# Enable cross-origin AJAX requests.
17# http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
18# http://enable-cors.org/
19
20# <IfModule mod_headers.c>
21# Header set Access-Control-Allow-Origin "*"
22# </IfModule>
23
24# ------------------------------------------------------------------------------
25# | CORS-enabled images |
26# ------------------------------------------------------------------------------
27
28# Send the CORS header for images when browsers request it.
29# https://developer.mozilla.org/en/CORS_Enabled_Image
30# http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
31# http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
32
33<IfModule mod_setenvif.c>
34 <IfModule mod_headers.c>
35 <FilesMatch "\.(gif|ico|jpe?g|png|svgz?|webp)$">
36 SetEnvIf Origin ":" IS_CORS
37 Header set Access-Control-Allow-Origin "*" env=IS_CORS
38 </FilesMatch>
39 </IfModule>
40</IfModule>
41
42# ------------------------------------------------------------------------------
43# | Web fonts access |
44# ------------------------------------------------------------------------------
45
46# Allow access from all domains for web fonts
47
48<IfModule mod_headers.c>
49 <FilesMatch "\.(eot|font.css|otf|ttc|ttf|woff)$">
50 Header set Access-Control-Allow-Origin "*"
51 </FilesMatch>
52</IfModule>
53
54
55# ##############################################################################
56# # ERRORS #
57# ##############################################################################
58
59# ------------------------------------------------------------------------------
60# | 404 error prevention for non-existing redirected folders |
61# ------------------------------------------------------------------------------
62
63# Prevent Apache from returning a 404 error for a rewrite if a directory
64# with the same name does not exist.
65# http://httpd.apache.org/docs/current/content-negotiation.html#multiviews
66# http://www.webmasterworld.com/apache/3808792.htm
67
68Options -MultiViews
69
70# ------------------------------------------------------------------------------
71# | Custom error messages / pages |
72# ------------------------------------------------------------------------------
73
74# You can customize what Apache returns to the client in case of an error (see
75# http://httpd.apache.org/docs/current/mod/core.html#errordocument), e.g.:
76
77ErrorDocument 404 /404.html
78
79
80# ##############################################################################
81# # INTERNET EXPLORER #
82# ##############################################################################
83
84# ------------------------------------------------------------------------------
85# | Better website experience |
86# ------------------------------------------------------------------------------
87
88# Force IE to render pages in the highest available mode in the various
89# cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf.
90
91<IfModule mod_headers.c>
92 Header set X-UA-Compatible "IE=edge"
93 # `mod_headers` can't match based on the content-type, however, we only
94 # want to send this header for HTML pages and not for the other resources
95 <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
96 Header unset X-UA-Compatible
97 </FilesMatch>
98</IfModule>
99
100# ------------------------------------------------------------------------------
101# | Cookie setting from iframes |
102# ------------------------------------------------------------------------------
103
104# Allow cookies to be set from iframes in IE.
105
106# <IfModule mod_headers.c>
107# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
108# </IfModule>
109
110# ------------------------------------------------------------------------------
111# | Screen flicker |
112# ------------------------------------------------------------------------------
113
114# Stop screen flicker in IE on CSS rollovers (this only works in
115# combination with the `ExpiresByType` directives for images from below).
116
117# BrowserMatch "MSIE" brokenvary=1
118# BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
119# BrowserMatch "Opera" !brokenvary
120# SetEnvIf brokenvary 1 force-no-vary
121
122
123# ##############################################################################
124# # MIME TYPES AND ENCODING #
125# ##############################################################################
126
127# ------------------------------------------------------------------------------
128# | Proper MIME types for all files |
129# ------------------------------------------------------------------------------
130
131<IfModule mod_mime.c>
132
133 # Audio
134 AddType audio/mp4 m4a f4a f4b
135 AddType audio/ogg oga ogg
136
137 # JavaScript
138 # Normalize to standard type (it's sniffed in IE anyways):
139 # http://tools.ietf.org/html/rfc4329#section-7.2
140 AddType application/javascript js
141 AddType application/json json
142
143 # Video
144 AddType video/mp4 mp4 m4v f4v f4p
145 AddType video/ogg ogv
146 AddType video/webm webm
147 AddType video/x-flv flv
148
149 # Web fonts
150 AddType application/font-woff woff
151 AddType application/vnd.ms-fontobject eot
152
153 # Browsers usually ignore the font MIME types and sniff the content,
154 # however, Chrome shows a warning if other MIME types are used for the
155 # following fonts.
156 AddType application/x-font-ttf ttc ttf
157 AddType font/opentype otf
158
159 # Make SVGZ fonts work on iPad:
160 # https://twitter.com/FontSquirrel/status/14855840545
161 AddType image/svg+xml svg svgz
162 AddEncoding gzip svgz
163
164 # Other
165 AddType application/octet-stream safariextz
166 AddType application/x-chrome-extension crx
167 AddType application/x-opera-extension oex
168 AddType application/x-shockwave-flash swf
169 AddType application/x-web-app-manifest+json webapp
170 AddType application/x-xpinstall xpi
171 AddType application/xml atom rdf rss xml
172 AddType image/webp webp
173 AddType image/x-icon ico
174 AddType text/cache-manifest appcache manifest
175 AddType text/vtt vtt
176 AddType text/x-component htc
177 AddType text/x-vcard vcf
178
179</IfModule>
180
181# ------------------------------------------------------------------------------
182# | UTF-8 encoding |
183# ------------------------------------------------------------------------------
184
185# Use UTF-8 encoding for anything served as `text/html` or `text/plain`.
186AddDefaultCharset utf-8
187
188# Force UTF-8 for certain file formats.
189<IfModule mod_mime.c>
190 AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml
191</IfModule>
192
193
194# ##############################################################################
195# # URL REWRITES #
196# ##############################################################################
197
198# ------------------------------------------------------------------------------
199# | Rewrite engine |
200# ------------------------------------------------------------------------------
201
202# Turning on the rewrite engine and enabling the `FollowSymLinks` option is
203# necessary for the following directives to work.
204
205# If your web host doesn't allow the `FollowSymlinks` option, you may need to
206# comment it out and use `Options +SymLinksIfOwnerMatch` but, be aware of the
207# performance impact: http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
208
209# Also, some cloud hosting services require `RewriteBase` to be set:
210# http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-mod-rewrite-not-working-on-my-site
211
212<IfModule mod_rewrite.c>
213 Options +FollowSymlinks
214 # Options +SymLinksIfOwnerMatch
215 RewriteEngine On
216 # RewriteBase /
217</IfModule>
218
219# ------------------------------------------------------------------------------
220# | Suppressing / Forcing the "www." at the beginning of URLs |
221# ------------------------------------------------------------------------------
222
223# The same content should never be available under two different URLs especially
224# not with and without "www." at the beginning. This can cause SEO problems
225# (duplicate content), therefore, you should choose one of the alternatives and
226# redirect the other one.
227
228# By default option 1 (no "www.") is activated:
229# http://no-www.org/faq.php?q=class_b
230
231# If you'd prefer to use option 2, just comment out all the lines from option 1
232# and uncomment the ones from option 2.
233
234# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
235
236# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
237
238# Option 1: rewrite www.example.com → example.com
239
240<IfModule mod_rewrite.c>
241 RewriteCond %{HTTPS} !=on
242 RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
243 RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
244</IfModule>
245
246# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
247
248# Option 2: rewrite example.com → www.example.com
249
250# Be aware that the following might not be a good idea if you use "real"
251# subdomains for certain parts of your website.
252
253# <IfModule mod_rewrite.c>
254# RewriteCond %{HTTPS} !=on
255# RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
256# RewriteCond %{HTTP_HOST} !=localhost [NC]
257# RewriteCond %{HTTP_HOST} !=127.0.0.1
258# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
259# </IfModule>
260
261
262# ##############################################################################
263# # SECURITY #
264# ##############################################################################
265
266# ------------------------------------------------------------------------------
267# | Content Security Policy (CSP) |
268# ------------------------------------------------------------------------------
269
270# You can mitigate the risk of cross-site scripting and other content-injection
271# attacks by setting a Content Security Policy which whitelists trusted sources
272# of content for your site.
273
274# The example header below allows ONLY scripts that are loaded from the current
275# site's origin (no inline scripts, no CDN, etc). This almost certainly won't
276# work as-is for your site!
277
278# To get all the details you'll need to craft a reasonable policy for your site,
279# read: http://html5rocks.com/en/tutorials/security/content-security-policy (or
280# see the specification: http://w3.org/TR/CSP).
281
282# <IfModule mod_headers.c>
283# Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
284# <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
285# Header unset Content-Security-Policy
286# </FilesMatch>
287# </IfModule>
288
289# ------------------------------------------------------------------------------
290# | File access |
291# ------------------------------------------------------------------------------
292
293# Block access to directories without a default document.
294# Usually you should leave this uncommented because you shouldn't allow anyone
295# to surf through every directory on your server (which may includes rather
296# private places like the CMS's directories).
297
298<IfModule mod_autoindex.c>
299 Options -Indexes
300</IfModule>
301
302# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
303
304# Block access to hidden files and directories.
305# This includes directories used by version control systems such as Git and SVN.
306
307<IfModule mod_rewrite.c>
308 RewriteCond %{SCRIPT_FILENAME} -d [OR]
309 RewriteCond %{SCRIPT_FILENAME} -f
310 RewriteRule "(^|/)\." - [F]
311</IfModule>
312
313# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
314
315# Block access to backup and source files.
316# These files may be left by some text editors and can pose a great security
317# danger when anyone has access to them.
318
319<FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
320 Order allow,deny
321 Deny from all
322 Satisfy All
323</FilesMatch>
324
325# ------------------------------------------------------------------------------
326# | Secure Sockets Layer (SSL) |
327# ------------------------------------------------------------------------------
328
329# Rewrite secure requests properly to prevent SSL certificate warnings, e.g.:
330# prevent `https://www.example.com` when your certificate only allows
331# `https://secure.example.com`.
332
333# <IfModule mod_rewrite.c>
334# RewriteCond %{SERVER_PORT} !^443
335# RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
336# </IfModule>
337
338# ------------------------------------------------------------------------------
339# | HTTP Strict Transport Security (HSTS) |
340# ------------------------------------------------------------------------------
341
342# Force client-side SSL redirection.
343
344# If a user types "example.com" in his browser, the above rule will redirect
345# him to the secure version of the site. That still leaves a window of oppor-
346# tunity (the initial HTTP connection) for an attacker to downgrade or redirect
347# the request. The following header ensures that browser will ONLY connect to
348# your server via HTTPS, regardless of what the users type in the address bar.
349# http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
350# http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
351
352# (!) Remove the `includeSubDomains` optional directive if the subdomains are
353# not using HTTPS.
354
355# <IfModule mod_headers.c>
356# Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
357# </IfModule>
358
359# ------------------------------------------------------------------------------
360# | Server software information |
361# ------------------------------------------------------------------------------
362
363# Avoid displaying the exact Apache version number, the description of the
364# generic OS-type and the information about Apache's compiled-in modules.
365
366# ADD THIS DIRECTIVE IN THE `httpd.conf` AS IT WILL NOT WORK IN THE `.htaccess`!
367
368# ServerTokens Prod
369
370
371# ##############################################################################
372# # WEB PERFORMANCE #
373# ##############################################################################
374
375# ------------------------------------------------------------------------------
376# | Compression |
377# ------------------------------------------------------------------------------
378
379<IfModule mod_deflate.c>
380
381 # Force compression for mangled headers.
382 # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
383 <IfModule mod_setenvif.c>
384 <IfModule mod_headers.c>
385 SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
386 RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
387 </IfModule>
388 </IfModule>
389
390 # Compress all output labeled with one of the following MIME-types
391 # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
392 # and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
393 # as `AddOutputFilterByType` is still in the core directives).
394 <IfModule mod_filter.c>
395 AddOutputFilterByType DEFLATE application/atom+xml \
396 application/javascript \
397 application/json \
398 application/rss+xml \
399 application/vnd.ms-fontobject \
400 application/x-font-ttf \
401 application/x-web-app-manifest+json \
402 application/xhtml+xml \
403 application/xml \
404 font/opentype \
405 image/svg+xml \
406 image/x-icon \
407 text/css \
408 text/html \
409 text/plain \
410 text/x-component \
411 text/xml
412 </IfModule>
413
414</IfModule>
415
416# ------------------------------------------------------------------------------
417# | Content transformations |
418# ------------------------------------------------------------------------------
419
420# Prevent some of the mobile network providers from modifying the content of
421# your site: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5.
422
423# <IfModule mod_headers.c>
424# Header set Cache-Control "no-transform"
425# </IfModule>
426
427# ------------------------------------------------------------------------------
428# | ETag removal |
429# ------------------------------------------------------------------------------
430
431# Since we're sending far-future expires headers (see below), ETags can
432# be removed: http://developer.yahoo.com/performance/rules.html#etags.
433
434# `FileETag None` is not enough for every server.
435<IfModule mod_headers.c>
436 Header unset ETag
437</IfModule>
438
439FileETag None
440
441# ------------------------------------------------------------------------------
442# | Expires headers (for better cache control) |
443# ------------------------------------------------------------------------------
444
445# The following expires headers are set pretty far in the future. If you don't
446# control versioning with filename-based cache busting, consider lowering the
447# cache time for resources like CSS and JS to something like 1 week.
448
449<IfModule mod_expires.c>
450
451 ExpiresActive on
452 ExpiresDefault "access plus 1 month"
453
454 # CSS
455 ExpiresByType text/css "access plus 1 year"
456
457 # Data interchange
458 ExpiresByType application/json "access plus 0 seconds"
459 ExpiresByType application/xml "access plus 0 seconds"
460 ExpiresByType text/xml "access plus 0 seconds"
461
462 # Favicon (cannot be renamed!)
463 ExpiresByType image/x-icon "access plus 1 week"
464
465 # HTML components (HTCs)
466 ExpiresByType text/x-component "access plus 1 month"
467
468 # HTML
469 ExpiresByType text/html "access plus 0 seconds"
470
471 # JavaScript
472 ExpiresByType application/javascript "access plus 1 year"
473
474 # Manifest files
475 ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
476 ExpiresByType text/cache-manifest "access plus 0 seconds"
477
478 # Media
479 ExpiresByType audio/ogg "access plus 1 month"
480 ExpiresByType image/gif "access plus 1 month"
481 ExpiresByType image/jpeg "access plus 1 month"
482 ExpiresByType image/png "access plus 1 month"
483 ExpiresByType video/mp4 "access plus 1 month"
484 ExpiresByType video/ogg "access plus 1 month"
485 ExpiresByType video/webm "access plus 1 month"
486
487 # Web feeds
488 ExpiresByType application/atom+xml "access plus 1 hour"
489 ExpiresByType application/rss+xml "access plus 1 hour"
490
491 # Web fonts
492 ExpiresByType application/font-woff "access plus 1 month"
493 ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
494 ExpiresByType application/x-font-ttf "access plus 1 month"
495 ExpiresByType font/opentype "access plus 1 month"
496 ExpiresByType image/svg+xml "access plus 1 month"
497
498</IfModule>
499
500# ------------------------------------------------------------------------------
501# | Filename-based cache busting |
502# ------------------------------------------------------------------------------
503
504# If you're not using a build process to manage your filename version revving,
505# you might want to consider enabling the following directives to route all
506# requests such as `/css/style.12345.css` to `/css/style.css`.
507
508# To understand why this is important and a better idea than `*.css?v231`, read:
509# http://stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring
510
511# <IfModule mod_rewrite.c>
512# RewriteCond %{REQUEST_FILENAME} !-f
513# RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L]
514# </IfModule>
515
516# ------------------------------------------------------------------------------
517# | File concatenation |
518# ------------------------------------------------------------------------------
519
520# Allow concatenation from within specific CSS and JS files, e.g.:
521# Inside of `script.combined.js` you could have
522# <!--#include file="libs/jquery.js" -->
523# <!--#include file="plugins/jquery.idletimer.js" -->
524# and they would be included into this single file.
525
526# <IfModule mod_include.c>
527# <FilesMatch "\.combined\.js$">
528# Options +Includes
529# AddOutputFilterByType INCLUDES application/javascript application/json
530# SetOutputFilter INCLUDES
531# </FilesMatch>
532# <FilesMatch "\.combined\.css$">
533# Options +Includes
534# AddOutputFilterByType INCLUDES text/css
535# SetOutputFilter INCLUDES
536# </FilesMatch>
537# </IfModule>
538
539# ------------------------------------------------------------------------------
540# | Persistent connections |
541# ------------------------------------------------------------------------------
542
543# Allow multiple requests to be sent over the same TCP connection:
544# http://httpd.apache.org/docs/current/en/mod/core.html#keepalive.
545
546# Enable if you serve a lot of static content but, be aware of the
547# possible disadvantages!
548
549# <IfModule mod_headers.c>
550# Header set Connection Keep-Alive
551# </IfModule>
© 2015 Mike Crute