diff --git a/includes/roots-htaccess.php b/includes/roots-htaccess.php
index 9c379cf..a2a10bc 100644
--- a/includes/roots-htaccess.php
+++ b/includes/roots-htaccess.php
@@ -33,16 +33,16 @@ function roots_add_htaccess($rules) {
$rules .= "\n# Use ChromeFrame if it's installed for a better experience for the poor IE folk";
$rules .= "\n";
$rules .= "\n";
- $rules .= "\n";
- $rules .= "\nBrowserMatch MSIE ie";
- $rules .= "\nHeader set X-UA-Compatible \"IE=Edge,chrome=1\" env=ie";
- $rules .= "\n";
+ $rules .= "\n ";
+ $rules .= "\n BrowserMatch MSIE ie";
+ $rules .= "\n Header set X-UA-Compatible \"IE=Edge,chrome=1\" env=ie";
+ $rules .= "\n ";
$rules .= "\n";
$rules .= "\n";
$rules .= "\n";
$rules .= "\n# Because X-UA-Compatible isn't sent to non-IE (to save header bytes),";
$rules .= "\n# We need to inform proxies that content changes based on UA";
- $rules .= "\nHeader append Vary User-Agent";
+ $rules .= "\n Header append Vary User-Agent";
$rules .= "\n# Cache control is set only if mod_headers is enabled, so that's unncessary to declare";
$rules .= "\n";
$rules .= "\n";
@@ -70,9 +70,9 @@ function roots_add_htaccess($rules) {
$rules .= "\n# your subdomains like \"sub.domain.com\"";
$rules .= "\n";
$rules .= "\n";
- $rules .= "\n";
- $rules .= "\nHeader set Access-Control-Allow-Origin "*"";
- $rules .= "\n";
+ $rules .= "\n ";
+ $rules .= "\n Header set Access-Control-Allow-Origin "*"";
+ $rules .= "\n ";
$rules .= "\n";
$rules .= "\n";
$rules .= "\n";
@@ -120,34 +120,76 @@ function roots_add_htaccess($rules) {
$rules .= "\n";
$rules .= "\n# force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/";
$rules .= "\n";
- $rules .= "\n";
- $rules .= "\nSetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding";
- $rules .= "\nRequestHeader append Accept-Encoding \"gzip,deflate\" env=HAVE_Accept-Encoding";
- $rules .= "\n";
+ $rules .= "\n ";
+ $rules .= "\n SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding";
+ $rules .= "\n RequestHeader append Accept-Encoding \"gzip,deflate\" env=HAVE_Accept-Encoding";
+ $rules .= "\n ";
$rules .= "\n";
$rules .= "\n# html, txt, css, js, json, xml, htc:";
$rules .= "\n";
- $rules .= "\nFilterDeclare COMPRESS";
- $rules .= "\nFilterProvider COMPRESS DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/";
- $rules .= "\nFilterProvider COMPRESS DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/";
- $rules .= "\nFilterChain COMPRESS";
- $rules .= "\nFilterProtocol COMPRESS change=yes;byteranges=no";
+ $rules .= "\n FilterDeclare COMPRESS";
+ $rules .= "\n FilterProvider COMPRESS DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/";
+ $rules .= "\n FilterProvider COMPRESS DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/";
+ $rules .= "\n FilterChain COMPRESS";
+ $rules .= "\n FilterProtocol COMPRESS change=yes;byteranges=no";
$rules .= "\n";
$rules .= "\n";
$rules .= "\n";
- $rules .= "\n# Legacy versions of Apache";
- $rules .= "\nAddOutputFilterByType DEFLATE text/html text/plain text/css application/json";
- $rules .= "\nAddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript ";
- $rules .= "\nAddOutputFilterByType DEFLATE text/xml application/xml text/x-component";
+ $rules .= "\n # Legacy versions of Apache";
+ $rules .= "\n AddOutputFilterByType DEFLATE text/html text/plain text/css application/json";
+ $rules .= "\n AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript ";
+ $rules .= "\n AddOutputFilterByType DEFLATE text/xml application/xml text/x-component";
$rules .= "\n";
$rules .= "\n";
$rules .= "\n# webfonts and svg:";
- $rules .= "\n";
- $rules .= "\nSetOutputFilter DEFLATE";
- $rules .= "\n";
+ $rules .= "\n ";
+ $rules .= "\n SetOutputFilter DEFLATE";
+ $rules .= "\n ";
$rules .= "\n";
$rules .= "\n";
$rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n# Stop screen flicker in IE on CSS rollovers";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n";
+ $rules .= "\n# The following directives stop screen flicker in IE on CSS rollovers - in";
+ $rules .= "\n# combination with the \"ExpiresByType\" rules for images (see above). If";
+ $rules .= "\n# needed, un-comment the following rules.";
+ $rules .= "\n";
+ $rules .= "\n# BrowserMatch \"MSIE\" brokenvary=1";
+ $rules .= "\n# BrowserMatch \"Mozilla/4.[0-9]{2}\" brokenvary=1";
+ $rules .= "\n# BrowserMatch \"Opera\" !brokenvary";
+ $rules .= "\n# SetEnvIf brokenvary 1 force-no-vary";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n# Prevent SSL cert warnings";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n";
+ $rules .= "\n# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent ";
+ $rules .= "\n# https://www.domain.com when your cert only allows https://secure.domain.com";
+ $rules .= "\n# Uncomment the following lines to use this feature.";
+ $rules .= "\n";
+ $rules .= "\n# ";
+ $rules .= "\n# RewriteCond %{SERVER_PORT} !^443";
+ $rules .= "\n# RewriteRule (.*) https://example-domain-please-change-me.com/$1 [R=301,L]";
+ $rules .= "\n# ";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n# Prevent 404 errors for non-existing redirected folders";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n";
+ $rules .= "\n# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist ";
+ $rules .= "\n# e.g. /blog/hello : webmasterworld.com/apache/3808792.htm";
+ $rules .= "\n";
+ $rules .= "\nOptions -MultiViews ";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n";
$rules .= "\n# ----------------------------------------------------------------------";
$rules .= "\n# UTF-8 encoding";
$rules .= "\n# ----------------------------------------------------------------------";
@@ -158,6 +200,54 @@ function roots_add_htaccess($rules) {
$rules .= "\n# force utf-8 for a number of file formats";
$rules .= "\nAddCharset utf-8 .html .css .js .xml .json .rss";
$rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n# A little more security";
+ $rules .= "\n# ----------------------------------------------------------------------";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# Do we want to advertise the exact version number of Apache we're running?";
+ $rules .= "\n# Probably not.";
+ $rules .= "\n## This can only be enabled if used in httpd.conf - It will not work in .htaccess";
+ $rules .= "\n# ServerTokens Prod";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# \"-Indexes\" will have Apache block users from browsing folders without a default document";
+ $rules .= "\n# Usually you should leave this activated, because you shouldn't allow everybody to surf through";
+ $rules .= "\n# every folder on your server (which includes rather private places like CMS system folders).";
+ $rules .= "\nOptions -Indexes";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# Block access to \"hidden\" directories whose names begin with a period. This";
+ $rules .= "\n# includes directories used by version control systems such as Subversion or Git.";
+ $rules .= "\n";
+ $rules .= "\n RewriteRule \"(^|/)\.\" - [F]";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# If your server is not already configured as such, the following directive";
+ $rules .= "\n# should be uncommented in order to set PHP's register_globals option to OFF.";
+ $rules .= "\n# This closes a major security hole that is abused by most XSS (cross-site";
+ $rules .= "\n# scripting) attacks. For more information: http://php.net/register_globals";
+ $rules .= "\n#";
+ $rules .= "\n# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :";
+ $rules .= "\n#";
+ $rules .= "\n# Your server does not allow PHP directives to be set via .htaccess. In that";
+ $rules .= "\n# case you must make this change in your php.ini file instead. If you are";
+ $rules .= "\n# using a commercial web host, contact the administrators for assistance in";
+ $rules .= "\n# doing this. Not all servers allow local php.ini files, and they should";
+ $rules .= "\n# include all PHP configurations (not just this one), or you will effectively";
+ $rules .= "\n# reset everything to PHP defaults. Consult www.php.net for more detailed";
+ $rules .= "\n# information about setting PHP directives.";
+ $rules .= "\n";
+ $rules .= "\n# php_flag register_globals Off";
+ $rules .= "\n";
+ $rules .= "\n";
+ $rules .= "\n# Increase cookie security";
+ $rules .= "\n";
+ $rules .= "\n php_value session.cookie_httponly true";
+ $rules .= "\n";
return $rules;
}