adding more from the html5 boilerplate .htaccess (remember to use wp-super-cache to control expires)

includes/roots-htaccess.php

@@ -33,16 +33,16 @@ function roots_add_htaccess($rules) {
 	$rules .= "\n# Use ChromeFrame if it's installed for a better experience for the poor IE folk";
 	$rules .= "\n";
 	$rules .= "\n<IfModule mod_setenvif.c>";
-  	$rules .= "\n<IfModule mod_headers.c>";
+	$rules .= "\n  <IfModule mod_headers.c>";
-    $rules .= "\nBrowserMatch MSIE ie";
+	$rules .= "\n    BrowserMatch MSIE ie";
-    $rules .= "\nHeader set X-UA-Compatible \"IE=Edge,chrome=1\" env=ie";
+	$rules .= "\n    Header set X-UA-Compatible \"IE=Edge,chrome=1\" env=ie";
-  	$rules .= "\n</IfModule>";
+	$rules .= "\n  </IfModule>";
 	$rules .= "\n</IfModule>";
 	$rules .= "\n";
 	$rules .= "\n<IfModule mod_headers.c>";
 	$rules .= "\n# Because X-UA-Compatible isn't sent to non-IE (to save header bytes),";
 	$rules .= "\n#   We need to inform proxies that content changes based on UA";
-  	$rules .= "\nHeader append Vary User-Agent";
+	$rules .= "\n  Header append Vary User-Agent";
 	$rules .= "\n# Cache control is set only if mod_headers is enabled, so that's unncessary to declare";
 	$rules .= "\n</IfModule>";
 	$rules .= "\n";
@@ -70,9 +70,9 @@ function roots_add_htaccess($rules) {
 	$rules .= "\n#   your subdomains like \"sub.domain.com\"";
 	$rules .= "\n";
 	$rules .= "\n<FilesMatch \"\.(ttf|otf|eot|woff|font.css)$\">";
-  	$rules .= "\n<IfModule mod_headers.c>";
+	$rules .= "\n  <IfModule mod_headers.c>";
-    $rules .= "\nHeader set Access-Control-Allow-Origin "*"";
+	$rules .= "\n    Header set Access-Control-Allow-Origin "*"";
-  	$rules .= "\n</IfModule>";
+	$rules .= "\n  </IfModule>";
 	$rules .= "\n</FilesMatch>";
 	$rules .= "\n";
 	$rules .= "\n";
@@ -120,34 +120,76 @@ function roots_add_htaccess($rules) {
 	$rules .= "\n";
 	$rules .= "\n# force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/";
 	$rules .= "\n<IfModule mod_setenvif.c>";
-  	$rules .= "\n<IfModule mod_headers.c>";
+	$rules .= "\n  <IfModule mod_headers.c>";
-    $rules .= "\nSetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding";
+	$rules .= "\n    SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding";
-    $rules .= "\nRequestHeader append Accept-Encoding \"gzip,deflate\" env=HAVE_Accept-Encoding";
+	$rules .= "\n    RequestHeader append Accept-Encoding \"gzip,deflate\" env=HAVE_Accept-Encoding";
-  	$rules .= "\n</IfModule>";
+	$rules .= "\n  </IfModule>";
 	$rules .= "\n</IfModule>";
 	$rules .= "\n# html, txt, css, js, json, xml, htc:";
 	$rules .= "\n<IfModule filter_module>";
-  	$rules .= "\nFilterDeclare   COMPRESS";
+	$rules .= "\n  FilterDeclare   COMPRESS";
-  	$rules .= "\nFilterProvider  COMPRESS  DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/";
+	$rules .= "\n  FilterProvider  COMPRESS  DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/";
-  	$rules .= "\nFilterProvider  COMPRESS  DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/";
+	$rules .= "\n  FilterProvider  COMPRESS  DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/";
-  	$rules .= "\nFilterChain     COMPRESS";
+	$rules .= "\n  FilterChain     COMPRESS";
-  	$rules .= "\nFilterProtocol  COMPRESS  change=yes;byteranges=no";
+	$rules .= "\n  FilterProtocol  COMPRESS  change=yes;byteranges=no";
 	$rules .= "\n</IfModule>";
 	$rules .= "\n";
 	$rules .= "\n<IfModule !mod_filter.c>";
-  	$rules .= "\n# Legacy versions of Apache";
+	$rules .= "\n  # Legacy versions of Apache";
-  	$rules .= "\nAddOutputFilterByType DEFLATE text/html text/plain text/css application/json";
+	$rules .= "\n  AddOutputFilterByType DEFLATE text/html text/plain text/css application/json";
-  	$rules .= "\nAddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript ";
+	$rules .= "\n  AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript ";
-  	$rules .= "\nAddOutputFilterByType DEFLATE text/xml application/xml text/x-component";
+	$rules .= "\n  AddOutputFilterByType DEFLATE text/xml application/xml text/x-component";
 	$rules .= "\n</IfModule>";
 	$rules .= "\n";
 	$rules .= "\n# webfonts and svg:";
-  	$rules .= "\n<FilesMatch \"\.(ttf|otf|eot|svg)$\" >";
+	$rules .= "\n  <FilesMatch \"\.(ttf|otf|eot|svg)$\" >";
-    $rules .= "\nSetOutputFilter DEFLATE";
+	$rules .= "\n    SetOutputFilter DEFLATE";
-  	$rules .= "\n</FilesMatch>";
+	$rules .= "\n  </FilesMatch>";
 	$rules .= "\n</IfModule>";
 	$rules .= "\n";
 	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n# Stop screen flicker in IE on CSS rollovers";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n";
+	$rules .= "\n# The following directives stop screen flicker in IE on CSS rollovers - in";
+	$rules .= "\n# combination with the \"ExpiresByType\" rules for images (see above). If";
+	$rules .= "\n# needed, un-comment the following rules.";
+	$rules .= "\n";
+	$rules .= "\n# BrowserMatch \"MSIE\" brokenvary=1";
+	$rules .= "\n# BrowserMatch \"Mozilla/4.[0-9]{2}\" brokenvary=1";
+	$rules .= "\n# BrowserMatch \"Opera\" !brokenvary";
+	$rules .= "\n# SetEnvIf brokenvary 1 force-no-vary";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n# Prevent SSL cert warnings";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n";
+	$rules .= "\n# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent ";
+	$rules .= "\n# https://www.domain.com when your cert only allows https://secure.domain.com";
+	$rules .= "\n# Uncomment the following lines to use this feature.";
+	$rules .= "\n";
+	$rules .= "\n# <IfModule mod_rewrite.c>";
+	$rules .= "\n#   RewriteCond %{SERVER_PORT} !^443";
+	$rules .= "\n#   RewriteRule (.*) https://example-domain-please-change-me.com/$1 [R=301,L]";
+	$rules .= "\n# </IfModule>";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n# Prevent 404 errors for non-existing redirected folders";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n";
+	$rules .= "\n# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist ";
+	$rules .= "\n#   e.g. /blog/hello : webmasterworld.com/apache/3808792.htm";
+	$rules .= "\n";
+	$rules .= "\nOptions -MultiViews ";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n";
 	$rules .= "\n# ----------------------------------------------------------------------";
 	$rules .= "\n# UTF-8 encoding";
 	$rules .= "\n# ----------------------------------------------------------------------";
@@ -158,6 +200,54 @@ function roots_add_htaccess($rules) {
 	$rules .= "\n# force utf-8 for a number of file formats";
 	$rules .= "\nAddCharset utf-8 .html .css .js .xml .json .rss";
 	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n# A little more security";
+	$rules .= "\n# ----------------------------------------------------------------------";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# Do we want to advertise the exact version number of Apache we're running?";
+	$rules .= "\n# Probably not.";
+	$rules .= "\n## This can only be enabled if used in httpd.conf - It will not work in .htaccess";
+	$rules .= "\n# ServerTokens Prod";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# \"-Indexes\" will have Apache block users from browsing folders without a default document";
+	$rules .= "\n# Usually you should leave this activated, because you shouldn't allow everybody to surf through";
+	$rules .= "\n# every folder on your server (which includes rather private places like CMS system folders).";
+	$rules .= "\nOptions -Indexes";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# Block access to \"hidden\" directories whose names begin with a period. This";
+	$rules .= "\n# includes directories used by version control systems such as Subversion or Git.";
+	$rules .= "\n<IfModule mod_rewrite.c>";
+	$rules .= "\n  RewriteRule \"(^|/)\.\" - [F]";
+	$rules .= "\n</IfModule>";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# If your server is not already configured as such, the following directive";
+	$rules .= "\n# should be uncommented in order to set PHP's register_globals option to OFF.";
+	$rules .= "\n# This closes a major security hole that is abused by most XSS (cross-site";
+	$rules .= "\n# scripting) attacks. For more information: http://php.net/register_globals";
+	$rules .= "\n#";
+	$rules .= "\n# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS :";
+	$rules .= "\n#";
+	$rules .= "\n# Your server does not allow PHP directives to be set via .htaccess. In that";
+	$rules .= "\n# case you must make this change in your php.ini file instead. If you are";
+	$rules .= "\n# using a commercial web host, contact the administrators for assistance in";
+	$rules .= "\n# doing this. Not all servers allow local php.ini files, and they should";
+	$rules .= "\n# include all PHP configurations (not just this one), or you will effectively";
+	$rules .= "\n# reset everything to PHP defaults. Consult www.php.net for more detailed";
+	$rules .= "\n# information about setting PHP directives.";
+	$rules .= "\n";
+	$rules .= "\n# php_flag register_globals Off";
+	$rules .= "\n";
+	$rules .= "\n";
+	$rules .= "\n# Increase cookie security";
+	$rules .= "\n<IfModule php5_module>";
+	$rules .= "\n  php_value session.cookie_httponly true";
+	$rules .= "\n</IfModule>";
 	
 	return $rules;
 }