diff --git a/lib/h5bp-htaccess b/lib/h5bp-htaccess
index 5c9ae78..3b6ea3f 100644
--- a/lib/h5bp-htaccess
+++ b/lib/h5bp-htaccess
@@ -2,25 +2,28 @@
###
### This contains the HTML5 Boilerplate .htaccess that can be found at:
-### github.com/h5bp/html5-boilerplate/blob/master/.htaccess
+### https://github.com/h5bp/server-configs/blob/master/apache/.htaccess
###
### Added:
-### Block access to access to WordPress files that reveal version information.
+### Block access to access to WordPress files that reveal version information.
###
-### Commented out by default:
-### Expires headers: Use WP Super Cache or W3 Total Cache (unless using the H5BP build script)
-### ETag removal: Use WP Super Cache or W3 Total Cache (unless using the H5BP build script)
-### Start rewrite engine: Handled by WordPress
-### Suppress/force www: Handled by WordPress
-### Options -MultiViews: Causes a server 500 error on most shared hosts
-### Custom 404 page: Handled by WordPress
+### Removed:
+### Expires headers: Use W3 Total Cache
+### ETag removal: Use W3 Total Cache
+### Start rewrite engine: Handled by WordPress
+### Suppress/force www: Handled by WordPress
+### Custom 404 page: Handled by WordPress
+###
+### Commmented out by default:
+### Options -MultiViews: Causes a server 500 error on most shared hosts
###
### Anytime you update this file the .htaccess file in the root of your
### WordPress install is automatically updated with the changes whenever
-### the permalinks are flushed or set
+### the permalinks are flushed or set (see lib/htaccess.php)
###
+
# ----------------------------------------------------------------------
# Better website experience for IE users
# ----------------------------------------------------------------------
@@ -30,9 +33,9 @@
# Use ChromeFrame if it's installed for a better experience for the poor IE folk
- Header set X-UA-Compatible "IE=Edge,chrome=1"
+ Header set X-UA-Compatible "IE=edge,chrome=1"
# mod_headers can't match by content-type, but we don't want to send this header on *everything*...
-
+
Header unset X-UA-Compatible
@@ -64,7 +67,7 @@
# mod_headers, y u no match by Content-Type?!
-
+
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
@@ -81,18 +84,16 @@
# subdomains like "subdomain.example.com".
-
+
Header set Access-Control-Allow-Origin "*"
-
# ----------------------------------------------------------------------
# Proper MIME type for all files
# ----------------------------------------------------------------------
-
# JavaScript
# Normalize to standard type (it's sniffed in IE anyways)
# tools.ietf.org/html/rfc4329#section-7.2
@@ -100,12 +101,12 @@ AddType application/javascript js jsonp
AddType application/json json
# Audio
-AddType audio/ogg oga ogg
AddType audio/mp4 m4a f4a f4b
+AddType audio/ogg oga ogg
# Video
-AddType video/ogg ogv
AddType video/mp4 mp4 m4v f4v f4p
+AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
@@ -116,25 +117,25 @@ AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# Webfonts
+AddType application/font-woff woff
AddType application/vnd.ms-fontobject eot
AddType application/x-font-ttf ttf ttc
AddType font/opentype otf
-AddType application/x-font-woff woff
# Assorted types
-AddType image/x-icon ico
-AddType image/webp webp
-AddType text/cache-manifest appcache manifest
-AddType text/x-component htc
-AddType application/xml rss atom xml rdf
+AddType application/octet-stream safariextz
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
-AddType application/x-xpinstall xpi
-AddType application/octet-stream safariextz
-AddType application/x-web-app-manifest+json webapp
-AddType text/x-vcard vcf
AddType application/x-shockwave-flash swf
-
+AddType application/x-web-app-manifest+json webapp
+AddType application/x-xpinstall xpi
+AddType application/xml rss atom xml rdf
+AddType image/webp webp
+AddType image/x-icon ico
+AddType text/cache-manifest appcache manifest
+AddType text/vtt vtt
+AddType text/x-component htc
+AddType text/x-vcard vcf
# ----------------------------------------------------------------------
@@ -142,20 +143,19 @@ AddType application/x-shockwave-flash swf
# ----------------------------------------------------------------------
# e.g. Inside of script.combined.js you could have
-#
+#
#
# and they would be included into this single file.
# This is not in use in the boilerplate as it stands. You may
-# choose to name your files in this way for this advantage or
-# concatenate and minify them manually.
-# Disabled by default.
+# choose to use this technique if you do not have a build process.
#
# Options +Includes
# AddOutputFilterByType INCLUDES application/javascript application/json
# SetOutputFilter INCLUDES
#
+
#
# Options +Includes
# AddOutputFilterByType INCLUDES text/css
@@ -177,139 +177,51 @@ AddType application/x-shockwave-flash swf
- # HTML, TXT, CSS, JavaScript, JSON, XML, HTC:
-
- FilterDeclare COMPRESS
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/javascript
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject
- FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $image/x-icon
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf
- FilterProvider COMPRESS DEFLATE resp=Content-Type $font/opentype
- FilterChain COMPRESS
- FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no
-
-
-
- # Legacy versions of Apache
- AddOutputFilterByType DEFLATE text/html text/plain text/css application/json
- AddOutputFilterByType DEFLATE application/javascript
- AddOutputFilterByType DEFLATE text/xml application/xml text/x-component
- AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml
- AddOutputFilterByType DEFLATE image/x-icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype
+ # Compress all output labeled with one of the following MIME-types
+ # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
+ # and can remove the `` and `` lines as
+ # `AddOutputFilterByType` is still in the core directives)
+
+ AddOutputFilterByType DEFLATE application/atom+xml \
+ application/javascript \
+ application/json \
+ application/rss+xml \
+ application/vnd.ms-fontobject \
+ application/x-font-ttf \
+ application/xhtml+xml \
+ application/xml \
+ font/opentype \
+ image/svg+xml \
+ image/x-icon \
+ text/css \
+ text/html \
+ text/plain \
+ text/x-component \
+ text/xml
-# ----------------------------------------------------------------------
-# Expires headers (for better cache control)
-# ----------------------------------------------------------------------
-
-# These are pretty far-future expires headers.
-# They assume you control versioning with filename-based cache busting
-# Additionally, consider that outdated proxies may miscache
-# www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
-
-# If you don't use filenames to version, lower the CSS and JS to something like
-# "access plus 1 week" or so.
-
-#
-# ExpiresActive on
-
-# Perhaps better to whitelist expires rules? Perhaps.
-# ExpiresDefault "access plus 1 month"
-
-# cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
-# ExpiresByType text/cache-manifest "access plus 0 seconds"
-
-# Your document html
-# ExpiresByType text/html "access plus 0 seconds"
-
-# Data
-# ExpiresByType text/xml "access plus 0 seconds"
-# ExpiresByType application/xml "access plus 0 seconds"
-# ExpiresByType application/json "access plus 0 seconds"
-
-# Feed
-# ExpiresByType application/rss+xml "access plus 1 hour"
-# ExpiresByType application/atom+xml "access plus 1 hour"
-
-# Favicon (cannot be renamed)
-# ExpiresByType image/x-icon "access plus 1 week"
-
-# Media: images, video, audio
-# ExpiresByType image/gif "access plus 1 month"
-# ExpiresByType image/png "access plus 1 month"
-# ExpiresByType image/jpg "access plus 1 month"
-# ExpiresByType image/jpeg "access plus 1 month"
-# ExpiresByType video/ogg "access plus 1 month"
-# ExpiresByType audio/ogg "access plus 1 month"
-# ExpiresByType video/mp4 "access plus 1 month"
-# ExpiresByType video/webm "access plus 1 month"
-
-# HTC files (css3pie)
-# ExpiresByType text/x-component "access plus 1 month"
-
-# Webfonts
-# ExpiresByType application/x-font-ttf "access plus 1 month"
-# ExpiresByType font/opentype "access plus 1 month"
-# ExpiresByType application/x-font-woff "access plus 1 month"
-# ExpiresByType image/svg+xml "access plus 1 month"
-# ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
-
-# CSS and JavaScript
-# ExpiresByType text/css "access plus 1 year"
-# ExpiresByType application/javascript "access plus 1 year"
-
-#
-
# ----------------------------------------------------------------------
# Prevent mobile network providers from modifying your site
# ----------------------------------------------------------------------
-# The following header prevents modification of your code over 3G on some European providers
-# This is the official 'bypass' suggested by O2 in the UK
+# The following header prevents modification of your code over 3G on some
+# European providers.
+# This is the official 'bypass' suggested by O2 in the UK.
#
# Header set Cache-Control "no-transform"
#
-
-# ----------------------------------------------------------------------
-# ETag removal
-# ----------------------------------------------------------------------
-
-# FileETag None is not enough for every server.
-#
-# Header unset ETag
-#
-
-# Since we're sending far-future expires, we don't need ETags for
-# static content.
-# developer.yahoo.com/performance/rules.html#etags
-# FileETag None
-
-
-
# ----------------------------------------------------------------------
# Stop screen flicker in IE on CSS rollovers
# ----------------------------------------------------------------------
# The following directives stop screen flicker in IE on CSS rollovers - in
-# combination with the "ExpiresByType" rules for images (see above). If
-# needed, un-comment the following rules.
+# combination with the "ExpiresByType" rules for images (see above).
# BrowserMatch "MSIE" brokenvary=1
# BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
@@ -317,105 +229,42 @@ AddType application/x-shockwave-flash swf
# SetEnvIf brokenvary 1 force-no-vary
-
# ----------------------------------------------------------------------
# Set Keep-Alive Header
# ----------------------------------------------------------------------
-# Keep-Alive allows the server to send multiple requests through one TCP-connection.
-# Be aware of possible disadvantages of this setting. Turn on if you serve a lot of
-# static content.
+# Keep-Alive allows the server to send multiple requests through one
+# TCP-connection. Be aware of possible disadvantages of this setting. Turn on
+# if you serve a lot of static content.
#
# Header set Connection Keep-Alive
#
-
# ----------------------------------------------------------------------
# Cookie setting from iframes
# ----------------------------------------------------------------------
# Allow cookies to be set from iframes (for IE only)
-# If needed, uncomment and specify a path or regex in the Location directive
+# If needed, specify a path or regex in the Location directive.
#
# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
#
-
-# ----------------------------------------------------------------------
-# Start rewrite engine
-# ----------------------------------------------------------------------
-
-# Turning on the rewrite engine is necessary for the following rules and features.
-# FollowSymLinks must be enabled for this to work.
-#
-# Some cloud hosting services require RewriteBase to be set: goo.gl/HOcPN
-# If using the h5bp in a subdirectory, use `RewriteBase /foo` instead where 'foo' is your directory.
-
-#
-# Options +FollowSymlinks
-# RewriteEngine On
-# # RewriteBase /
-#
-
-
-
-# ----------------------------------------------------------------------
-# Suppress or force the "www." at the beginning of URLs
-# ----------------------------------------------------------------------
-
-# The same content should never be available under two different URLs - especially not with and
-# without "www." at the beginning, since this can cause SEO problems (duplicate content).
-# That's why you should choose one of the alternatives and redirect the other one.
-
-# By default option 1 (no "www.") is activated. Remember: Shorter URLs are sexier.
-# no-www.org/faq.php?q=class_b
-
-# If you rather want to use option 2, just comment out all option 1 lines
-# and uncomment option 2.
-# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
-
-# ----------------------------------------------------------------------
-
-# Option 1:
-# Rewrite "www.example.com -> example.com"
-
-#
-# RewriteCond %{HTTPS} !=on
-# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
-# RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
-#
-
-# ----------------------------------------------------------------------
-
-# Option 2:
-# To rewrite "example.com -> www.example.com" uncomment the following lines.
-# Be aware that the following rule might not be a good idea if you
-# use "real" subdomains for certain parts of your website.
-
-#
-# RewriteCond %{HTTPS} !=on
-# RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
-# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
-#
-
-
-
# ----------------------------------------------------------------------
# Built-in filename-based cache busting
# ----------------------------------------------------------------------
# If you're not using the build script to manage your filename version revving,
# you might want to consider enabling this, which will route requests for
-# /css/style.20110203.css to /css/style.css
+# `/css/style.20110203.css` to `/css/style.css`.
# To understand why this is important and a better idea than all.css?v1231,
-# read: github.com/h5bp/html5-boilerplate/wiki/cachebusting
+# please refer to the bundled documentation about `.htaccess`.
-# Uncomment to enable.
#
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteCond %{REQUEST_FILENAME} !-d
@@ -423,14 +272,12 @@ AddType application/x-shockwave-flash swf
#
-
# ----------------------------------------------------------------------
# Prevent SSL cert warnings
# ----------------------------------------------------------------------
# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent
# https://www.example.com when your cert only allows https://secure.example.com
-# Uncomment the following lines to use this feature.
#
# RewriteCond %{SERVER_PORT} !^443
@@ -438,29 +285,32 @@ AddType application/x-shockwave-flash swf
#
+# ----------------------------------------------------------------------
+# Force client-side SSL redirection
+# ----------------------------------------------------------------------
+
+# If a user types "example.com" in her browser, the above rule will redirect her
+# to the secure version of the site. That still leaves a window of opportunity
+# (the initial HTTP connection) for an attacker to downgrade or redirect the
+# request. The following header ensures that browser will **only** connect to
+# your server via HTTPS, regardless of what users type in the address bar.
+
+#
+# Header set Strict-Transport-Security max-age=16070400;
+#
+
# ----------------------------------------------------------------------
# Prevent 404 errors for non-existing redirected folders
# ----------------------------------------------------------------------
-# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist
-# e.g. /blog/hello : webmasterworld.com/apache/3808792.htm
+# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the
+# same name does not exist.
+# webmasterworld.com/apache/3808792.htm
# Options -MultiViews
-
-# ----------------------------------------------------------------------
-# Custom 404 page
-# ----------------------------------------------------------------------
-
-# You can add custom pages to handle 500 or 403 pretty easily, if you like.
-# If you are hosting your site in subdirectory, adjust this accordingly
-# e.g. ErrorDocument 404 /subdir/404.html
-# ErrorDocument 404 /404.html
-
-
-
# ----------------------------------------------------------------------
# UTF-8 encoding
# ----------------------------------------------------------------------
@@ -469,62 +319,49 @@ AddType application/x-shockwave-flash swf
AddDefaultCharset utf-8
# Force UTF-8 for a number of file formats
-AddCharset utf-8 .css .js .xml .json .rss .atom
-
+AddCharset utf-8 .atom .css .js .json .rss .vtt .xml
# ----------------------------------------------------------------------
# A little more security
# ----------------------------------------------------------------------
-
-# Do we want to advertise the exact version number of Apache we're running?
-# Probably not.
-## This can only be enabled if used in httpd.conf - It will not work in .htaccess
+# To avoid displaying the exact version number of Apache being used, add the
+# following to httpd.conf (it will not work in .htaccess):
# ServerTokens Prod
-
-# "-Indexes" will have Apache block users from browsing folders without a default document
-# Usually you should leave this activated, because you shouldn't allow everybody to surf through
-# every folder on your server (which includes rather private places like CMS system folders).
+# "-Indexes" will have Apache block users from browsing folders without a
+# default document Usually you should leave this activated, because you
+# shouldn't allow everybody to surf through every folder on your server (which
+# includes rather private places like CMS system folders).
Options -Indexes
-
-# Block access to "hidden" directories or files whose names begin with a period. This
-# includes directories used by version control systems such as Subversion or Git.
+# Block access to "hidden" directories or files whose names begin with a
+# period. This includes directories used by version control systems such as
+# Subversion or Git.
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
-
-# Block access to backup and source files
-# This files may be left by some text/html editors and
-# pose a great security danger, when someone can access them
-
+# Block access to backup and source files. These files may be left by some
+# text/html editors and pose a great security danger, when anyone can access
+# them.
+
Order allow,deny
Deny from all
Satisfy All
-
-# Block access to WordPress files that reveal version information.
-
- Order allow,deny
- Deny from all
- Satisfy All
-
-
-
# If your server is not already configured as such, the following directive
# should be uncommented in order to set PHP's register_globals option to OFF.
# This closes a major security hole that is abused by most XSS (cross-site
# scripting) attacks. For more information: http://php.net/register_globals
#
-# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :
+# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS:
#
# Your server does not allow PHP directives to be set via .htaccess. In that
# case you must make this change in your php.ini file instead. If you are
@@ -578,8 +415,6 @@ AddCharset utf-8 .css .js .xml .json .rss .atom
# php_value error_append_string " "
# Increase cookie security
-
+
php_value session.cookie_httponly true
-
-
-# END HTML5 Boilerplate
+
\ No newline at end of file