From 83b325a5a4b351a58661cb1f8f50bdeca60f78a6 Mon Sep 17 00:00:00 2001 From: Ben Word Date: Fri, 1 Apr 2011 09:45:22 -0600 Subject: [PATCH] adding more from the html5 boilerplate .htaccess (remember to use wp-super-cache to control expires) --- includes/roots-htaccess.php | 138 +++++++++++++++++++++++++++++------- 1 file changed, 114 insertions(+), 24 deletions(-) diff --git a/includes/roots-htaccess.php b/includes/roots-htaccess.php index 9c379cf..a2a10bc 100644 --- a/includes/roots-htaccess.php +++ b/includes/roots-htaccess.php @@ -33,16 +33,16 @@ function roots_add_htaccess($rules) { $rules .= "\n# Use ChromeFrame if it's installed for a better experience for the poor IE folk"; $rules .= "\n"; $rules .= "\n"; - $rules .= "\n"; - $rules .= "\nBrowserMatch MSIE ie"; - $rules .= "\nHeader set X-UA-Compatible \"IE=Edge,chrome=1\" env=ie"; - $rules .= "\n"; + $rules .= "\n "; + $rules .= "\n BrowserMatch MSIE ie"; + $rules .= "\n Header set X-UA-Compatible \"IE=Edge,chrome=1\" env=ie"; + $rules .= "\n "; $rules .= "\n"; $rules .= "\n"; $rules .= "\n"; $rules .= "\n# Because X-UA-Compatible isn't sent to non-IE (to save header bytes),"; $rules .= "\n# We need to inform proxies that content changes based on UA"; - $rules .= "\nHeader append Vary User-Agent"; + $rules .= "\n Header append Vary User-Agent"; $rules .= "\n# Cache control is set only if mod_headers is enabled, so that's unncessary to declare"; $rules .= "\n"; $rules .= "\n"; @@ -70,9 +70,9 @@ function roots_add_htaccess($rules) { $rules .= "\n# your subdomains like \"sub.domain.com\""; $rules .= "\n"; $rules .= "\n"; - $rules .= "\n"; - $rules .= "\nHeader set Access-Control-Allow-Origin "*""; - $rules .= "\n"; + $rules .= "\n "; + $rules .= "\n Header set Access-Control-Allow-Origin "*""; + $rules .= "\n "; $rules .= "\n"; $rules .= "\n"; $rules .= "\n"; @@ -120,34 +120,76 @@ function roots_add_htaccess($rules) { $rules .= "\n"; $rules .= "\n# force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/"; $rules .= "\n"; - $rules .= "\n"; - $rules .= "\nSetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding"; - $rules .= "\nRequestHeader append Accept-Encoding \"gzip,deflate\" env=HAVE_Accept-Encoding"; - $rules .= "\n"; + $rules .= "\n "; + $rules .= "\n SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding"; + $rules .= "\n RequestHeader append Accept-Encoding \"gzip,deflate\" env=HAVE_Accept-Encoding"; + $rules .= "\n "; $rules .= "\n"; $rules .= "\n# html, txt, css, js, json, xml, htc:"; $rules .= "\n"; - $rules .= "\nFilterDeclare COMPRESS"; - $rules .= "\nFilterProvider COMPRESS DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/"; - $rules .= "\nFilterProvider COMPRESS DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/"; - $rules .= "\nFilterChain COMPRESS"; - $rules .= "\nFilterProtocol COMPRESS change=yes;byteranges=no"; + $rules .= "\n FilterDeclare COMPRESS"; + $rules .= "\n FilterProvider COMPRESS DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/"; + $rules .= "\n FilterProvider COMPRESS DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/"; + $rules .= "\n FilterChain COMPRESS"; + $rules .= "\n FilterProtocol COMPRESS change=yes;byteranges=no"; $rules .= "\n"; $rules .= "\n"; $rules .= "\n"; - $rules .= "\n# Legacy versions of Apache"; - $rules .= "\nAddOutputFilterByType DEFLATE text/html text/plain text/css application/json"; - $rules .= "\nAddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript "; - $rules .= "\nAddOutputFilterByType DEFLATE text/xml application/xml text/x-component"; + $rules .= "\n # Legacy versions of Apache"; + $rules .= "\n AddOutputFilterByType DEFLATE text/html text/plain text/css application/json"; + $rules .= "\n AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript "; + $rules .= "\n AddOutputFilterByType DEFLATE text/xml application/xml text/x-component"; $rules .= "\n"; $rules .= "\n"; $rules .= "\n# webfonts and svg:"; - $rules .= "\n"; - $rules .= "\nSetOutputFilter DEFLATE"; - $rules .= "\n"; + $rules .= "\n "; + $rules .= "\n SetOutputFilter DEFLATE"; + $rules .= "\n "; $rules .= "\n"; $rules .= "\n"; $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n# Stop screen flicker in IE on CSS rollovers"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n"; + $rules .= "\n# The following directives stop screen flicker in IE on CSS rollovers - in"; + $rules .= "\n# combination with the \"ExpiresByType\" rules for images (see above). If"; + $rules .= "\n# needed, un-comment the following rules."; + $rules .= "\n"; + $rules .= "\n# BrowserMatch \"MSIE\" brokenvary=1"; + $rules .= "\n# BrowserMatch \"Mozilla/4.[0-9]{2}\" brokenvary=1"; + $rules .= "\n# BrowserMatch \"Opera\" !brokenvary"; + $rules .= "\n# SetEnvIf brokenvary 1 force-no-vary"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n# Prevent SSL cert warnings"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n"; + $rules .= "\n# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent "; + $rules .= "\n# https://www.domain.com when your cert only allows https://secure.domain.com"; + $rules .= "\n# Uncomment the following lines to use this feature."; + $rules .= "\n"; + $rules .= "\n# "; + $rules .= "\n# RewriteCond %{SERVER_PORT} !^443"; + $rules .= "\n# RewriteRule (.*) https://example-domain-please-change-me.com/$1 [R=301,L]"; + $rules .= "\n# "; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n# Prevent 404 errors for non-existing redirected folders"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n"; + $rules .= "\n# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist "; + $rules .= "\n# e.g. /blog/hello : webmasterworld.com/apache/3808792.htm"; + $rules .= "\n"; + $rules .= "\nOptions -MultiViews "; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n"; $rules .= "\n# ----------------------------------------------------------------------"; $rules .= "\n# UTF-8 encoding"; $rules .= "\n# ----------------------------------------------------------------------"; @@ -158,6 +200,54 @@ function roots_add_htaccess($rules) { $rules .= "\n# force utf-8 for a number of file formats"; $rules .= "\nAddCharset utf-8 .html .css .js .xml .json .rss"; $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n# A little more security"; + $rules .= "\n# ----------------------------------------------------------------------"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# Do we want to advertise the exact version number of Apache we're running?"; + $rules .= "\n# Probably not."; + $rules .= "\n## This can only be enabled if used in httpd.conf - It will not work in .htaccess"; + $rules .= "\n# ServerTokens Prod"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# \"-Indexes\" will have Apache block users from browsing folders without a default document"; + $rules .= "\n# Usually you should leave this activated, because you shouldn't allow everybody to surf through"; + $rules .= "\n# every folder on your server (which includes rather private places like CMS system folders)."; + $rules .= "\nOptions -Indexes"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# Block access to \"hidden\" directories whose names begin with a period. This"; + $rules .= "\n# includes directories used by version control systems such as Subversion or Git."; + $rules .= "\n"; + $rules .= "\n RewriteRule \"(^|/)\.\" - [F]"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# If your server is not already configured as such, the following directive"; + $rules .= "\n# should be uncommented in order to set PHP's register_globals option to OFF."; + $rules .= "\n# This closes a major security hole that is abused by most XSS (cross-site"; + $rules .= "\n# scripting) attacks. For more information: http://php.net/register_globals"; + $rules .= "\n#"; + $rules .= "\n# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :"; + $rules .= "\n#"; + $rules .= "\n# Your server does not allow PHP directives to be set via .htaccess. In that"; + $rules .= "\n# case you must make this change in your php.ini file instead. If you are"; + $rules .= "\n# using a commercial web host, contact the administrators for assistance in"; + $rules .= "\n# doing this. Not all servers allow local php.ini files, and they should"; + $rules .= "\n# include all PHP configurations (not just this one), or you will effectively"; + $rules .= "\n# reset everything to PHP defaults. Consult www.php.net for more detailed"; + $rules .= "\n# information about setting PHP directives."; + $rules .= "\n"; + $rules .= "\n# php_flag register_globals Off"; + $rules .= "\n"; + $rules .= "\n"; + $rules .= "\n# Increase cookie security"; + $rules .= "\n"; + $rules .= "\n php_value session.cookie_httponly true"; + $rules .= "\n"; return $rules; }