Update included H5BP .htaccess

- Add latest updates from H5BP - Remove various parts that were previously commented out
2013-02-07 14:54:06 -06:00
parent 8128bfda4c
commit be2e203cc5
1 changed files with 98 additions and 263 deletions
--- a/lib/h5bp-htaccess
+++ b/lib/h5bp-htaccess
@@ -2,25 +2,28 @@
 ###
 ### This contains the HTML5 Boilerplate .htaccess that can be found at:
-###  github.com/h5bp/html5-boilerplate/blob/master/.htaccess
+### https://github.com/h5bp/server-configs/blob/master/apache/.htaccess
 ###
 ### Added:
 ###   Block access to access to WordPress files that reveal version information.
 ###
-### Commented out by default:
+### Removed:
-###  Expires headers:      Use WP Super Cache or W3 Total Cache (unless using the H5BP build script)
+###   Expires headers:      Use W3 Total Cache
-###  ETag removal:         Use WP Super Cache or W3 Total Cache (unless using the H5BP build script)
+###   ETag removal:         Use W3 Total Cache
 ###   Start rewrite engine: Handled by WordPress
 ###   Suppress/force www:   Handled by WordPress
 ###  Options -MultiViews:  Causes a server 500 error on most shared hosts
 ###   Custom 404 page:      Handled by WordPress
 ###
 ### Commmented out by default:
 ###   Options -MultiViews:  Causes a server 500 error on most shared hosts
 ###
 ### Anytime you update this file the .htaccess file in the root of your
 ### WordPress install is automatically updated with the changes whenever
-### the permalinks are flushed or set
+### the permalinks are flushed or set (see lib/htaccess.php)
 ###
 # ----------------------------------------------------------------------
 # Better website experience for IE users
 # ----------------------------------------------------------------------
@@ -30,9 +33,9 @@
 # Use ChromeFrame if it's installed for a better experience for the poor IE folk
 <IfModule mod_headers.c>
-  Header set X-UA-Compatible "IE=Edge,chrome=1"
+  Header set X-UA-Compatible "IE=edge,chrome=1"
  # mod_headers can't match by content-type, but we don't want to send this header on *everything*...
-  <FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
+  <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svg|svgz|ttf|vcf|webm|webp|woff|xml|xpi)$">
    Header unset X-UA-Compatible
  </FilesMatch>
 </IfModule>
@@ -64,7 +67,7 @@
 <IfModule mod_setenvif.c>
  <IfModule mod_headers.c>
    # mod_headers, y u no match by Content-Type?!
-    <FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
+    <FilesMatch "\.(gif|ico|jpe?g|png|svg|svgz|webp)$">
      SetEnvIf Origin ":" IS_CORS
      Header set Access-Control-Allow-Origin "*" env=IS_CORS
    </FilesMatch>
@@ -81,18 +84,16 @@
 # subdomains like "subdomain.example.com".
 <IfModule mod_headers.c>
-  <FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
+  <FilesMatch "\.(eot|font.css|otf|ttc|ttf|woff)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
 </IfModule>
 # ----------------------------------------------------------------------
 # Proper MIME type for all files
 # ----------------------------------------------------------------------
 # JavaScript
 #   Normalize to standard type (it's sniffed in IE anyways)
 #   tools.ietf.org/html/rfc4329#section-7.2
@@ -100,12 +101,12 @@ AddType application/javascript         js jsonp
 AddType application/json               json
 # Audio
 AddType audio/ogg                      oga ogg
 AddType audio/mp4                      m4a f4a f4b
 AddType audio/ogg                      oga ogg
 # Video
 AddType video/ogg                      ogv
 AddType video/mp4                      mp4 m4v f4v f4p
 AddType video/ogg                      ogv
 AddType video/webm                     webm
 AddType video/x-flv                    flv
@@ -116,25 +117,25 @@ AddType     image/svg+xml              svg svgz
 AddEncoding gzip                       svgz
 # Webfonts
 AddType application/font-woff          woff
 AddType application/vnd.ms-fontobject  eot
 AddType application/x-font-ttf         ttf ttc
 AddType font/opentype                  otf
 AddType application/x-font-woff        woff
 # Assorted types
-AddType image/x-icon                        ico
+AddType application/octet-stream            safariextz
 AddType image/webp                          webp
 AddType text/cache-manifest                 appcache manifest
 AddType text/x-component                    htc
 AddType application/xml                     rss atom xml rdf
 AddType application/x-chrome-extension      crx
 AddType application/x-opera-extension       oex
 AddType application/x-xpinstall             xpi
 AddType application/octet-stream            safariextz
 AddType application/x-web-app-manifest+json webapp
 AddType text/x-vcard                        vcf
 AddType application/x-shockwave-flash       swf
-
+AddType application/x-web-app-manifest+json webapp
 AddType application/x-xpinstall             xpi
 AddType application/xml                     rss atom xml rdf
 AddType image/webp                          webp
 AddType image/x-icon                        ico
 AddType text/cache-manifest                 appcache manifest
 AddType text/vtt                            vtt
 AddType text/x-component                    htc
 AddType text/x-vcard                        vcf
 # ----------------------------------------------------------------------
@@ -142,20 +143,19 @@ AddType application/x-shockwave-flash       swf
 # ----------------------------------------------------------------------
 # e.g. Inside of script.combined.js you could have
-#   <!--#include file="libs/jquery.min.js" -->
+#   <!--#include file="libs/jquery-1.5.0.min.js" -->
 #   <!--#include file="plugins/jquery.idletimer.js" -->
 # and they would be included into this single file.
 # This is not in use in the boilerplate as it stands. You may
-# choose to name your files in this way for this advantage or
+# choose to use this technique if you do not have a build process.
 # concatenate and minify them manually.
 # Disabled by default.
 #<FilesMatch "\.combined\.js$">
 #  Options +Includes
 #  AddOutputFilterByType INCLUDES application/javascript application/json
 #  SetOutputFilter INCLUDES
 #</FilesMatch>
 #<FilesMatch "\.combined\.css$">
 #  Options +Includes
 #  AddOutputFilterByType INCLUDES text/css
@@ -177,139 +177,51 @@ AddType application/x-shockwave-flash       swf
    </IfModule>
  </IfModule>
-  # HTML, TXT, CSS, JavaScript, JSON, XML, HTC:
+  # Compress all output labeled with one of the following MIME-types
-  <IfModule filter_module>
+  # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
-    FilterDeclare   COMPRESS
+  # and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines as
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $text/html
+  # `AddOutputFilterByType` is still in the core directives)
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $text/css
+  <IfModule mod_filter.c>
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $text/plain
+    AddOutputFilterByType DEFLATE application/atom+xml \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $text/xml
+                                  application/javascript \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $text/x-component
+                                  application/json \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/javascript
+                                  application/rss+xml \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/json
+                                  application/vnd.ms-fontobject \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/xml
+                                  application/x-font-ttf \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/xhtml+xml
+                                  application/xhtml+xml \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/rss+xml
+                                  application/xml \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/atom+xml
+                                  font/opentype \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/vnd.ms-fontobject
+                                  image/svg+xml \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $image/svg+xml
+                                  image/x-icon \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $image/x-icon
+                                  text/css \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $application/x-font-ttf
+                                  text/html \
-    FilterProvider  COMPRESS  DEFLATE resp=Content-Type $font/opentype
+                                  text/plain \
-    FilterChain     COMPRESS
+                                  text/x-component \
-    FilterProtocol  COMPRESS  DEFLATE change=yes;byteranges=no
+                                  text/xml
  </IfModule>
  <IfModule !mod_filter.c>
    # Legacy versions of Apache
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/json
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE text/xml application/xml text/x-component
    AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml
    AddOutputFilterByType DEFLATE image/x-icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype
  </IfModule>
 </IfModule>
 # ----------------------------------------------------------------------
 # Expires headers (for better cache control)
 # ----------------------------------------------------------------------
 # These are pretty far-future expires headers.
 # They assume you control versioning with filename-based cache busting
 # Additionally, consider that outdated proxies may miscache
 #   www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
 # If you don't use filenames to version, lower the CSS  and JS to something like
 #   "access plus 1 week" or so.
 # <IfModule mod_expires.c>
 #   ExpiresActive on
 # Perhaps better to whitelist expires rules? Perhaps.
 #   ExpiresDefault                          "access plus 1 month"
 # cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)
 #   ExpiresByType text/cache-manifest       "access plus 0 seconds"
 # Your document html
 #   ExpiresByType text/html                 "access plus 0 seconds"
 # Data
 #   ExpiresByType text/xml                  "access plus 0 seconds"
 #   ExpiresByType application/xml           "access plus 0 seconds"
 #   ExpiresByType application/json          "access plus 0 seconds"
 # Feed
 #   ExpiresByType application/rss+xml       "access plus 1 hour"
 #   ExpiresByType application/atom+xml      "access plus 1 hour"
 # Favicon (cannot be renamed)
 #   ExpiresByType image/x-icon              "access plus 1 week"
 # Media: images, video, audio
 #   ExpiresByType image/gif                 "access plus 1 month"
 #   ExpiresByType image/png                 "access plus 1 month"
 #   ExpiresByType image/jpg                 "access plus 1 month"
 #   ExpiresByType image/jpeg                "access plus 1 month"
 #   ExpiresByType video/ogg                 "access plus 1 month"
 #   ExpiresByType audio/ogg                 "access plus 1 month"
 #   ExpiresByType video/mp4                 "access plus 1 month"
 #   ExpiresByType video/webm                "access plus 1 month"
 # HTC files  (css3pie)
 #   ExpiresByType text/x-component          "access plus 1 month"
 # Webfonts
 #   ExpiresByType application/x-font-ttf    "access plus 1 month"
 #   ExpiresByType font/opentype             "access plus 1 month"
 #   ExpiresByType application/x-font-woff   "access plus 1 month"
 #   ExpiresByType image/svg+xml             "access plus 1 month"
 #   ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
 # CSS and JavaScript
 #   ExpiresByType text/css                  "access plus 1 year"
 #   ExpiresByType application/javascript    "access plus 1 year"
 # </IfModule>
 # ----------------------------------------------------------------------
 # Prevent mobile network providers from modifying your site
 # ----------------------------------------------------------------------
-# The following header prevents modification of your code over 3G on some European providers
+# The following header prevents modification of your code over 3G on some
-# This is the official 'bypass' suggested by O2 in the UK
+# European providers.
 # This is the official 'bypass' suggested by O2 in the UK.
 # <IfModule mod_headers.c>
 # Header set Cache-Control "no-transform"
 # </IfModule>
 # ----------------------------------------------------------------------
 # ETag removal
 # ----------------------------------------------------------------------
 # FileETag None is not enough for every server.
 # <IfModule mod_headers.c>
 #   Header unset ETag
 # </IfModule>
 # Since we're sending far-future expires, we don't need ETags for
 # static content.
 #   developer.yahoo.com/performance/rules.html#etags
 # FileETag None
 # ----------------------------------------------------------------------
 # Stop screen flicker in IE on CSS rollovers
 # ----------------------------------------------------------------------
 # The following directives stop screen flicker in IE on CSS rollovers - in
-# combination with the "ExpiresByType" rules for images (see above). If
+# combination with the "ExpiresByType" rules for images (see above).
 # needed, un-comment the following rules.
 # BrowserMatch "MSIE" brokenvary=1
 # BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
@@ -317,105 +229,42 @@ AddType application/x-shockwave-flash       swf
 # SetEnvIf brokenvary 1 force-no-vary
 # ----------------------------------------------------------------------
 # Set Keep-Alive Header
 # ----------------------------------------------------------------------
-# Keep-Alive allows the server to send multiple requests through one TCP-connection.
+# Keep-Alive allows the server to send multiple requests through one
-# Be aware of possible disadvantages of this setting. Turn on if you serve a lot of
+# TCP-connection. Be aware of possible disadvantages of this setting. Turn on
-# static content.
+# if you serve a lot of static content.
 # <IfModule mod_headers.c>
 #   Header set Connection Keep-Alive
 # </IfModule>
 # ----------------------------------------------------------------------
 # Cookie setting from iframes
 # ----------------------------------------------------------------------
 # Allow cookies to be set from iframes (for IE only)
-# If needed, uncomment and specify a path or regex in the Location directive
+# If needed, specify a path or regex in the Location directive.
 # <IfModule mod_headers.c>
 #   Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
 # </IfModule>
 # ----------------------------------------------------------------------
 # Start rewrite engine
 # ----------------------------------------------------------------------
 # Turning on the rewrite engine is necessary for the following rules and features.
 # FollowSymLinks must be enabled for this to work.
 #
 # Some cloud hosting services require RewriteBase to be set: goo.gl/HOcPN
 # If using the h5bp in a subdirectory, use `RewriteBase /foo` instead where 'foo' is your directory.
 # <IfModule mod_rewrite.c>
 #   Options +FollowSymlinks
 #   RewriteEngine On
 # # RewriteBase /
 # </IfModule>
 # ----------------------------------------------------------------------
 # Suppress or force the "www." at the beginning of URLs
 # ----------------------------------------------------------------------
 # The same content should never be available under two different URLs - especially not with and
 # without "www." at the beginning, since this can cause SEO problems (duplicate content).
 # That's why you should choose one of the alternatives and redirect the other one.
 # By default option 1 (no "www.") is activated. Remember: Shorter URLs are sexier.
 # no-www.org/faq.php?q=class_b
 # If you rather want to use option 2, just comment out all option 1 lines
 # and uncomment option 2.
 # IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
 # ----------------------------------------------------------------------
 # Option 1:
 # Rewrite "www.example.com -> example.com"
 # <IfModule mod_rewrite.c>
 #   RewriteCond %{HTTPS} !=on
 #   RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
 #   RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
 # </IfModule>
 # ----------------------------------------------------------------------
 # Option 2:
 # To rewrite "example.com -> www.example.com" uncomment the following lines.
 # Be aware that the following rule might not be a good idea if you
 # use "real" subdomains for certain parts of your website.
 # <IfModule mod_rewrite.c>
 #   RewriteCond %{HTTPS} !=on
 #   RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
 #   RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 # </IfModule>
 # ----------------------------------------------------------------------
 # Built-in filename-based cache busting
 # ----------------------------------------------------------------------
 # If you're not using the build script to manage your filename version revving,
 # you might want to consider enabling this, which will route requests for
-# /css/style.20110203.css to /css/style.css
+# `/css/style.20110203.css` to `/css/style.css`.
 # To understand why this is important and a better idea than all.css?v1231,
-# read: github.com/h5bp/html5-boilerplate/wiki/cachebusting
+# please refer to the bundled documentation about `.htaccess`.
 # Uncomment to enable.
 # <IfModule mod_rewrite.c>
 #   RewriteCond %{REQUEST_FILENAME} !-f
 #   RewriteCond %{REQUEST_FILENAME} !-d
@@ -423,14 +272,12 @@ AddType application/x-shockwave-flash       swf
 # </IfModule>
 # ----------------------------------------------------------------------
 # Prevent SSL cert warnings
 # ----------------------------------------------------------------------
 # Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent
 # https://www.example.com when your cert only allows https://secure.example.com
 # Uncomment the following lines to use this feature.
 # <IfModule mod_rewrite.c>
 #   RewriteCond %{SERVER_PORT} !^443
@@ -438,29 +285,32 @@ AddType application/x-shockwave-flash       swf
 # </IfModule>
 # ----------------------------------------------------------------------
 # Force client-side SSL redirection
 # ----------------------------------------------------------------------
 # If a user types "example.com" in her browser, the above rule will redirect her
 # to the secure version of the site. That still leaves a window of opportunity
 # (the initial HTTP connection) for an attacker to downgrade or redirect the
 # request. The following header ensures that browser will **only** connect to
 # your server via HTTPS, regardless of what users type in the address bar.
 # <IfModule mod_headers.c>
 #   Header set Strict-Transport-Security max-age=16070400;
 # </IfModule>
 # ----------------------------------------------------------------------
 # Prevent 404 errors for non-existing redirected folders
 # ----------------------------------------------------------------------
-# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist
+# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the
-#   e.g. /blog/hello : webmasterworld.com/apache/3808792.htm
+# same name does not exist.
 # webmasterworld.com/apache/3808792.htm
 # Options -MultiViews
 # ----------------------------------------------------------------------
 # Custom 404 page
 # ----------------------------------------------------------------------
 # You can add custom pages to handle 500 or 403 pretty easily, if you like.
 # If you are hosting your site in subdirectory, adjust this accordingly
 #    e.g. ErrorDocument 404 /subdir/404.html
 # ErrorDocument 404 /404.html
 # ----------------------------------------------------------------------
 # UTF-8 encoding
 # ----------------------------------------------------------------------
@@ -469,56 +319,43 @@ AddType application/x-shockwave-flash       swf
 AddDefaultCharset utf-8
 # Force UTF-8 for a number of file formats
-AddCharset utf-8 .css .js .xml .json .rss .atom
+AddCharset utf-8 .atom .css .js .json .rss .vtt .xml
 # ----------------------------------------------------------------------
 # A little more security
 # ----------------------------------------------------------------------
-
+# To avoid displaying the exact version number of Apache being used, add the
-# Do we want to advertise the exact version number of Apache we're running?
+# following to httpd.conf (it will not work in .htaccess):
 # Probably not.
 ## This can only be enabled if used in httpd.conf - It will not work in .htaccess
 # ServerTokens Prod
-
+# "-Indexes" will have Apache block users from browsing folders without a
-# "-Indexes" will have Apache block users from browsing folders without a default document
+# default document Usually you should leave this activated, because you
-# Usually you should leave this activated, because you shouldn't allow everybody to surf through
+# shouldn't allow everybody to surf through every folder on your server (which
-# every folder on your server (which includes rather private places like CMS system folders).
+# includes rather private places like CMS system folders).
 <IfModule mod_autoindex.c>
  Options -Indexes
 </IfModule>
-
+# Block access to "hidden" directories or files whose names begin with a
-# Block access to "hidden" directories or files whose names begin with a period. This
+# period. This includes directories used by version control systems such as
-# includes directories used by version control systems such as Subversion or Git.
+# Subversion or Git.
 <IfModule mod_rewrite.c>
  RewriteCond %{SCRIPT_FILENAME} -d [OR]
  RewriteCond %{SCRIPT_FILENAME} -f
  RewriteRule "(^|/)\." - [F]
 </IfModule>
-
+# Block access to backup and source files. These files may be left by some
-# Block access to backup and source files
+# text/html editors and pose a great security danger, when anyone can access
-# This files may be left by some text/html editors and
+# them.
-# pose a great security danger, when someone can access them
+<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
 <FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
  Order allow,deny
  Deny from all
  Satisfy All
 </FilesMatch>
 # Block access to WordPress files that reveal version information.
 <FilesMatch "^(wp-config\.php|readme\.html|license\.txt)">
  Order allow,deny
  Deny from all
  Satisfy All
 </FilesMatch>
 # If your server is not already configured as such, the following directive
 # should be uncommented in order to set PHP's register_globals option to OFF.
 # This closes a major security hole that is abused by most XSS (cross-site
@@ -578,8 +415,6 @@ AddCharset utf-8 .css .js .xml .json .rss .atom
 # php_value error_append_string " "
 # Increase cookie security
-<IfModule php5_module>
+<IfModule mod_php5.c>
  php_value session.cookie_httponly true
 </IfModule>
 # END HTML5 Boilerplate