diff --git a/_src/.htaccess b/_src/.htaccess
index f2d2fbe5..bf544226 100644
--- a/_src/.htaccess
+++ b/_src/.htaccess
@@ -1,19 +1,21 @@
# BEGIN HTML5 Boilerplate
-# Apache Server Configs v2.8.0 | MIT License
+# Apache Server Configs v2.9.0 | MIT License
# https://github.com/h5bp/server-configs-apache
-# (!) Using `.htaccess` files slows down Apache, therefore, if you have access
-# to the main server config file (usually called `httpd.conf`), you should add
-# this logic there: http://httpd.apache.org/docs/current/howto/htaccess.html.
+# (!) Using `.htaccess` files slows down Apache, therefore, if you have
+# access to the main server configuration file (which is usually called
+# `httpd.conf`), you should add this logic there.
+#
+# https://httpd.apache.org/docs/current/howto/htaccess.html.
-# ##############################################################################
-# # CROSS-ORIGIN RESOURCE SHARING (CORS) #
-# ##############################################################################
+# ######################################################################
+# # CROSS-ORIGIN #
+# ######################################################################
-# ------------------------------------------------------------------------------
-# | Cross-origin requests |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Cross-origin requests |
+# ----------------------------------------------------------------------
# Allow cross-origin requests.
@@ -25,41 +27,15 @@
# Header set Access-Control-Allow-Origin "*"
#
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-# By default allow cross-origin access to web fonts.
-
-
-
- Header set Access-Control-Allow-Origin "*"
-
-
-
-# ------------------------------------------------------------------------------
-# | Cross-origin resource timing |
-# ------------------------------------------------------------------------------
-
-# Allow cross-origin access to the timing information for all resources.
-
-# If a resource isn't served with a `Timing-Allow-Origin` header that would
-# allow its timing information to be shared with the current document, some of
-# the attributes of the `PerformanceResourceTiming` object will be set to zero.
-
-# http://www.w3.org/TR/resource-timing/
-
-#
-# Header set Timing-Allow-Origin: "*"
-#
-
-# ------------------------------------------------------------------------------
-# | CORS-enabled images |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Cross-origin images |
+# ----------------------------------------------------------------------
# Send the CORS header for images when browsers request it.
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
-# http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
-# http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
+# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
+# https://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
@@ -70,59 +46,99 @@
+# ----------------------------------------------------------------------
+# | Cross-origin web fonts |
+# ----------------------------------------------------------------------
-# ##############################################################################
-# # ERRORS #
-# ##############################################################################
+# Allow cross-origin access to web fonts.
-# ------------------------------------------------------------------------------
-# | 404 error prevention |
-# ------------------------------------------------------------------------------
+
+
+ Header set Access-Control-Allow-Origin "*"
+
+
+
+# ----------------------------------------------------------------------
+# | Cross-origin resource timing |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin access to the timing information for all resources.
+
+# If a resource isn't served with a `Timing-Allow-Origin` header that
+# would allow its timing information to be shared with the document,
+# some of the attributes of the `PerformanceResourceTiming` object will
+# be set to zero.
+
+# http://www.w3.org/TR/resource-timing/
+
+#
+# Header set Timing-Allow-Origin: "*"
+#
+
+
+# ######################################################################
+# # ERRORS #
+# ######################################################################
+
+# ----------------------------------------------------------------------
+# | Custom error messages/pages |
+# ----------------------------------------------------------------------
+
+# Customize what Apache returns to the client in case of an error.
+# https://httpd.apache.org/docs/current/mod/core.html#errordocument
+
+ErrorDocument 404 /404/
+
+# ----------------------------------------------------------------------
+# | Error prevention |
+# ----------------------------------------------------------------------
# Disable the pattern matching based on filenames.
# This setting prevents Apache from returning a 404 error as the result
# of a rewrite when the directory with the same name does not exist.
-# http://httpd.apache.org/docs/current/content-negotiation.html#multiviews
-# http://www.webmasterworld.com/apache/3808792.htm
+# https://httpd.apache.org/docs/current/content-negotiation.html#multiviews
Options -MultiViews
-# ------------------------------------------------------------------------------
-# | Custom error messages / pages |
-# ------------------------------------------------------------------------------
-# Customize what Apache returns to the client in case of an error.
-# http://httpd.apache.org/docs/current/mod/core.html#errordocument
+# ######################################################################
+# # INTERNET EXPLORER #
+# ######################################################################
-ErrorDocument 404 /404/
+# ----------------------------------------------------------------------
+# | Document modes |
+# ----------------------------------------------------------------------
-
-# ##############################################################################
-# # INTERNET EXPLORER #
-# ##############################################################################
-
-# ------------------------------------------------------------------------------
-# | Better website experience |
-# ------------------------------------------------------------------------------
-
-# Force Internet Explorer to render pages in the highest available
-# mode in the various cases when it may not.
+# Force Internet Explorer 8/9/10 to render pages in the highest mode
+# available in the various cases when it may not.
+#
# https://hsivonen.fi/doctype/#ie8
+#
+# (!) Starting with Internet Explorer 11, document modes are deprecated
+# and should no longer be used.
+#
+# http://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
+# http://blogs.msdn.com/b/ie/archive/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx
+
Header set X-UA-Compatible "IE=edge"
- # `mod_headers` cannot match based on the content-type, however, this header
- # should be send only for HTML documents and not for the other resources
+
+ # `mod_headers` cannot match based on the content-type, however,
+ # the `X-UA-Compatible` response header should be send only for
+ # HTML documents and not for the other resources.
+
Header unset X-UA-Compatible
+
-# ------------------------------------------------------------------------------
-# | Cookie setting from iframes |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Iframes cookies |
+# ----------------------------------------------------------------------
# Allow cookies to be set from iframes in Internet Explorer.
@@ -134,16 +150,16 @@ ErrorDocument 404 /404/
#
-# ##############################################################################
-# # MEDIA TYPES AND CHARACTER ENCODINGS #
-# ##############################################################################
+# ######################################################################
+# # MEDIA TYPES AND CHARACTER ENCODINGS #
+# ######################################################################
-# ------------------------------------------------------------------------------
-# | Media types |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Media types |
+# ----------------------------------------------------------------------
-# Serve resources with the proper media types (formerly known as MIME types).
-# http://www.iana.org/assignments/media-types/media-types.xhtml
+# Serve resources with the proper media types (f.k.a. MIME types).
+# https://www.iana.org/assignments/media-types/media-types.xhtml
@@ -158,22 +174,25 @@ ErrorDocument 404 /404/
# JavaScript
# Normalize to standard type.
- # http://tools.ietf.org/html/rfc4329#section-7.2
+ # https://tools.ietf.org/html/rfc4329#section-7.2
AddType application/javascript js
# Manifest files
- # If you are providing a web application manifest file (see the
- # specification: http://w3c.github.io/manifest/), it is recommended
- # that you serve it with the `application/manifest+json` media type.
+ # If you are providing a web application manifest file (see
+ # the specification: https://w3c.github.io/manifest/), it is
+ # recommended that you serve it with the `application/manifest+json`
+ # media type.
#
- # Because the web application manifest file doesn't have its own
- # unique file extension, you can set its media type either by matching:
+ # Because the web application manifest file doesn't have its
+ # own unique file extension, you can set its media type either
+ # by matching:
#
- # 1) the exact location of the file (this can be done using a directive
- # such as ``, but it will NOT work in the `.htaccess` file,
- # so you will have to do it in the main server configuration file or
- # inside of a `` container)
+ # 1) the exact location of the file (this can be done using a
+ # directive such as ``, but it will NOT work in
+ # the `.htaccess` file, so you will have to do it in the main
+ # server configuration file or inside of a ``
+ # container)
#
# e.g.:
#
@@ -181,9 +200,9 @@ ErrorDocument 404 /404/
# AddType application/manifest+json json
#
#
- # 2) the filename (this can be problematic as you will need to ensure
- # that you don't have any other file with the same name as the one
- # you gave to your web application manifest file)
+ # 2) the filename (this can be problematic as you will need to
+ # ensure that you don't have any other file with the same name
+ # as the one you gave to your web application manifest file)
#
# e.g.:
#
@@ -207,7 +226,7 @@ ErrorDocument 404 /404/
# Browsers usually ignore the font media types and simply sniff
# the bytes to figure out the font type.
- # http://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
+ # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
# Chrome however, shows a warning if any other media types are used
# for the following two font types.
@@ -231,9 +250,9 @@ ErrorDocument 404 /404/
-# ------------------------------------------------------------------------------
-# | Character encodings |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Character encodings |
+# ----------------------------------------------------------------------
# Set `UTF-8` as the character encoding for all resources served with
# the media type of `text/html` or `text/plain`.
@@ -256,32 +275,35 @@ AddDefaultCharset utf-8
-# ##############################################################################
-# # URL REWRITES #
-# ##############################################################################
+# ######################################################################
+# # REWRITES #
+# ######################################################################
-# ------------------------------------------------------------------------------
-# | Rewrite engine |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Rewrite engine |
+# ----------------------------------------------------------------------
-# (1) Turn on the rewrite engine
-# (this is necessary in order for the `RewriteRule` directives to work).
-# http://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
+# (1) Turn on the rewrite engine (this is necessary in order for
+# the `RewriteRule` directives to work).
+# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
#
# (2) Enable the `FollowSymLinks` option if it isn't already.
-# http://httpd.apache.org/docs/current/mod/core.html#options
+# https://httpd.apache.org/docs/current/mod/core.html#options
#
-# (3) If your web host doesn't allow the `FollowSymlinks` option, you may
-# need to comment it out and use `Options +SymLinksIfOwnerMatch`, but
-# be aware of the performance impact.
-# http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
+# (3) If your web host doesn't allow the `FollowSymlinks` option,
+# you may need to either comment it out or remove it, and
+# uncomment the `Options +SymLinksIfOwnerMatch` line, but be
+# aware of the performance impact.
+# https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
#
-# (4) Some cloud hosting services will also require `RewriteBase` to be set.
+# (4) Some cloud hosting services will also require that you set
+# the `RewriteBase`.
# http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
#
-# (5) Depending on how your server is set up, you may need to use the
-# `RewriteOptions` directive to enable some options for the rewrite engine.
-# http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
+# (5) Depending on how your server is set up, you may also need to
+# use the `RewriteOptions` directive to enable some options for
+# the rewrite engine.
+# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
@@ -295,41 +317,56 @@ AddDefaultCharset utf-8
# Options +SymLinksIfOwnerMatch
# (4)
- RewriteBase /
+ # RewriteBase /
# (5)
# RewriteOptions
-# ------------------------------------------------------------------------------
-# | Suppressing / Forcing the `www.` at the beginning of URLs |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Forcing `https://` |
+# ----------------------------------------------------------------------
-# The same content should never be available under two different URLs,
-# especially not with and without `www.` at the beginning. This can cause
-# SEO problems (duplicate content), and therefore, you should choose one
-# of the alternatives and redirect the other one.
+# Redirect from the `http://` to the `https://` version of the URL.
+# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
+
+#
+# RewriteEngine On
+# RewriteCond %{HTTPS} !=on
+# RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
+#
+
+# ----------------------------------------------------------------------
+# | Suppressing / Forcing the `www.` at the beginning of URLs |
+# ----------------------------------------------------------------------
+
+# The same content should never be available under two different
+# URLs, especially not with and without `www.` at the beginning.
+# This can cause SEO problems (duplicate content), and therefore,
+# you should choose one of the alternatives and redirect the other
+# one.
# By default `Option 1` (no `www.`) is activated.
# http://no-www.org/faq.php?q=class_b
-# If you would prefer to use `Option 2`, just comment out all the lines
-# from `Option 1` and uncomment the ones from `Option 2`.
+# If you would prefer to use `Option 2`, just comment out all the
+# lines from `Option 1` and uncomment the ones from `Option 2`.
-# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
+# (!) NEVER USE BOTH RULES AT THE SAME TIME!
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Option 1: rewrite www.example.com → example.com
#
+# RewriteEngine On
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
#
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Option 2: rewrite example.com → www.example.com
@@ -337,6 +374,7 @@ AddDefaultCharset utf-8
# subdomains for certain parts of your website.
#
+# RewriteEngine On
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteCond %{SERVER_ADDR} !=127.0.0.1
@@ -345,123 +383,145 @@ AddDefaultCharset utf-8
#
-# ##############################################################################
-# # SECURITY #
-# ##############################################################################
+# ######################################################################
+# # SECURITY #
+# ######################################################################
-# ------------------------------------------------------------------------------
-# | Clickjacking |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Clickjacking |
+# ----------------------------------------------------------------------
# Protect website against clickjacking.
-# The example below sends the `X-Frame-Options` response header with the value
-# `DENY`, informing browsers not to display the web page content in any frame.
+# The example below sends the `X-Frame-Options` response header with the
+# value `DENY` informing browsers not to display the web page content in
+# any frame.
-# This might not be the best setting for everyone. You should read about the
-# other two possible values for `X-Frame-Options`: `SAMEORIGIN` & `ALLOW-FROM`.
-# http://tools.ietf.org/html/rfc7034#section-2.1
+# This might not be the best setting for everyone. You should read about
+# the other two possible values for `X-Frame-Options`: `SAMEORIGIN` and
+# `ALLOW-FROM`.
+# https://tools.ietf.org/html/rfc7034#section-2.1
-# Keep in mind that while you could send the `X-Frame-Options` header for all
-# of your site’s pages, this has the potential downside that it forbids even
-# non-malicious framing of your content (e.g.: when users visit your site using
-# a Google Image Search results page).
+# Keep in mind that while you could send the `X-Frame-Options` header
+# for all of your site’s pages, this has the potential downside that it
+# forbids even non-malicious framing of your content (e.g.: when users
+# visit your site using a Google Image Search results page).
-# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
-# all pages that allow a user to make a state changing operation (e.g: pages
-# that contain one-click purchase links, checkout or bank-transfer confirmation
-# pages, pages that make permanent configuration changes, etc.).
+# Nonetheless, you should ensure that you send the `X-Frame-Options`
+# header for all pages that allow a user to make a state changing
+# operation (e.g: pages that contain one-click purchase links, checkout
+# or bank-transfer confirmation pages, pages that make permanent
+# configuration changes, etc.).
-# Sending the `X-Frame-Options` header can also protect your website against
-# more than just clickjacking attacks: https://cure53.de/xfo-clickjacking.pdf.
+# Sending the `X-Frame-Options` header can also protect your website
+# against more than just clickjacking attacks:
+# https://cure53.de/xfo-clickjacking.pdf.
-# http://tools.ietf.org/html/rfc7034
+# https://tools.ietf.org/html/rfc7034
# http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
# https://www.owasp.org/index.php/Clickjacking
#
+
# Header set X-Frame-Options "DENY"
+
+# # `mod_headers` cannot match based on the content-type, however,
+# # the `X-Frame-Options` response header should be send only for
+# # HTML documents and not for the other resources.
+
#
# Header unset X-Frame-Options
#
+
#
-# ------------------------------------------------------------------------------
-# | Content Security Policy (CSP) |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Content Security Policy (CSP) |
+# ----------------------------------------------------------------------
-# Mitigate the risk of cross-site scripting and other content-injection attacks.
+# Mitigate the risk of cross-site scripting and other content-injection
+# attacks.
-# This can be done by setting a `Content Security Policy` which whitelists
-# trusted sources of content for your website.
+# This can be done by setting a `Content Security Policy` which
+# whitelists trusted sources of content for your website.
-# The example header below allows ONLY scripts that are loaded from the current
-# site's origin (no inline scripts, no CDN, etc). This almost certainly won't
-# work as-is for your site!
+# The example header below allows ONLY scripts that are loaded from the
+# current site's origin (no inline scripts, no CDN, etc). This almost
+# certainly won't work as-is for your site!
-# For more details on how to craft a reasonable policy for your site, read:
-# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ (or
-# the specification: http://www.w3.org/TR/CSP11/). Also, to make things easier,
-# you can use an online CSP header generator such as: http://cspisawesome.com/.
+# For more details on how to craft a reasonable policy for your site,
+# read: http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+# (or the specification: http://www.w3.org/TR/CSP11/). Also, to make
+# things easier, you can use an online CSP header generator such as:
+# http://cspisawesome.com/.
#
+
# Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
+
+# # `mod_headers` cannot match based on the content-type, however,
+# # the `Content-Security-Policy` response header should be send
+# # only for HTML documents and not for the other resources.
+
#
# Header unset Content-Security-Policy
#
+
#
-# ------------------------------------------------------------------------------
-# | File access |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | File access |
+# ----------------------------------------------------------------------
# Block access to directories without a default document.
-# You should leave the following uncommented, as you shouldn't allow anyone to
-# surf through every directory on your server (which may includes rather private
-# places such as the CMS's directories).
+# You should leave the following uncommented, as you shouldn't allow
+# anyone to surf through every directory on your server (which may
+# includes rather private places such as the CMS's directories).
Options -Indexes
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Block access to all hidden files and directories with the exception of the
-# visible content from within the `/.well-known/` hidden directory.
+# Block access to all hidden files and directories with the exception of
+# the visible content from within the `/.well-known/` hidden directory.
-# These types of files usually contain user preferences or the preserved state
-# of an utility, and can include rather private places like, for example, the
-# `.git` or `.svn` directories.
+# These types of files usually contain user preferences or the preserved
+# state of an utility, and can include rather private places like, for
+# example, the `.git` or `.svn` directories.
-# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
-# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
-# `/.well-known/keybase.txt`), and therefore, access to its visible content
-# should not be blocked.
+# The `/.well-known/` directory represents the standard (RFC 5785) path
+# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
+# `/.well-known/keybase.txt`), and therefore, access to its visible
+# content should not be blocked.
# https://www.mnot.net/blog/2010/04/07/well-known
-# http://tools.ietf.org/html/rfc5785
+# https://tools.ietf.org/html/rfc5785
+ RewriteEngine On
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Block access to files that can expose sensitive information.
-# By default, block access to backup and source files that may be left by some
-# text editors and can pose a security risk when anyone has access to them.
+# By default, block access to backup and source files that may be
+# left by some text editors and can pose a security risk when anyone
+# has access to them.
# http://feross.org/cmsploit/
-# IMPORTANT: Update the `` regular expression from below to include
-# any files that might end up on your production server and can expose sensitive
-# information about your website. These files may include: configuration files,
-# files that contain metadata about the project (e.g.: project dependencies),
-# build scripts, etc..
+# (!) Update the `` regular expression from below to
+# include any files that might end up on your production server and
+# can expose sensitive information about your website. These files may
+# include: configuration files, files that contain metadata about the
+# project (e.g.: project dependencies), build scripts, etc..
@@ -479,99 +539,25 @@ AddDefaultCharset utf-8
-# ------------------------------------------------------------------------------
-# | Reducing MIME type security risks |
-# ------------------------------------------------------------------------------
-
-# Prevent some browsers from MIME-sniffing the response.
-
-# This reduces exposure to drive-by download attacks and cross-origin data
-# leaks, and should be left uncommented, especially if the web server is
-# serving user-uploaded content or content that could potentially be treated
-# as executable by the browser.
-
-# http://www.slideshare.net/hasegawayosuke/owasp-hasegawa
-# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
-# http://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
-# http://mimesniff.spec.whatwg.org/
-
-
- Header set X-Content-Type-Options "nosniff"
-
-
-# ------------------------------------------------------------------------------
-# | Reflected Cross-Site Scripting (XSS) attacks |
-# ------------------------------------------------------------------------------
-
-# (1) Try to re-enable the Cross-Site Scripting (XSS) filter built into the
-# most recent web browsers.
-#
-# The filter is usually enabled by default, but in some cases it may be
-# disabled by the user. However, in Internet Explorer for example, it can
-# be re-enabled just by sending the `X-XSS-Protection` header with the
-# value of `1`.
-#
-# (2) Prevent web browsers from rendering the web page if a potential reflected
-# (a.k.a non-persistent) XSS attack is detected by the filter.
-#
-# By default, if the filter is enabled and browsers detect a reflected
-# XSS attack, they will attempt to block the attack by making the smallest
-# possible modifications to the returned web page.
-#
-# Unfortunately, in some browsers (e.g.: Internet Explorer), this default
-# behavior may allow the XSS filter to be exploited, thereby, it's better
-# to tell browsers to prevent the rendering of the page altogether, instead
-# of attempting to modify it.
-#
-# http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
-#
-# IMPORTANT: Do not rely on the XSS filter to prevent XSS attacks! Ensure that
-# you are taking all possible measures to prevent XSS attacks, the most obvious
-# being: validating and sanitizing your site's inputs.
-#
-# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
-# http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
-# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
-
-#
-# # (1) (2)
-# Header set X-XSS-Protection "1; mode=block"
-#
-# Header unset X-XSS-Protection
-#
-#
-
-# ------------------------------------------------------------------------------
-# | Secure Sockets Layer (SSL) |
-# ------------------------------------------------------------------------------
-
-# Rewrite secure requests properly in order to prevent SSL certificate warnings.
-# E.g.: prevent `https://www.example.com` when your certificate only allows
-# `https://secure.example.com`.
-
-#
-# RewriteCond %{HTTPS} !=on
-# RewriteRule ^(.*)$ https://kremalicious.com/$1 [R=301,L]
-#
-
-# ------------------------------------------------------------------------------
-# | HTTP Strict Transport Security (HSTS) |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | HTTP Strict Transport Security (HSTS) |
+# ----------------------------------------------------------------------
# Force client-side SSL redirection.
-# If a user types `example.com` in his browser, the above rule will redirect
-# him to the secure version of the site. That still leaves a window of
-# opportunity (the initial HTTP connection) for an attacker to downgrade or
-# redirect the request.
+# If a user types `example.com` in their browser, even if the server
+# redirects them to the secure version of the site. That still leaves
+# a window of opportunity (the initial HTTP connection) for an attacker
+# to downgrade or redirect the request.
-# The following header ensures that browser will ONLY connect to your server
-# via HTTPS, regardless of what the users type in the address bar.
+# The following header ensures that browser will ONLY connect to your
+# server via HTTPS, regardless of what the users type in the address
+# bar.
-# IMPORTANT: Remove the `includeSubDomains` optional directive if the subdomains
-# are not using HTTPS.
+# (!) Remove the `includeSubDomains` optional directive if the site's
+# subdomains are not using HTTPS.
-# http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
+# https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
# http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitigations-deployment-https.aspx
@@ -579,26 +565,99 @@ AddDefaultCharset utf-8
# Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
#
-# ------------------------------------------------------------------------------
-# | Server software information |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Reducing MIME type security risks |
+# ----------------------------------------------------------------------
-# Avoid displaying the exact Apache version number, the description of the
-# generic OS-type and the information about Apache's compiled-in modules.
+# Prevent some browsers from MIME-sniffing the response.
-# IMPORTANT: The `ServerTokens` directive will not work in the `.htaccess` file,
-# so you will need to add the following in the main server configuration file.
+# This reduces exposure to drive-by download attacks and cross-origin
+# data leaks, and should be left uncommented, especially if the web
+# server is serving user-uploaded content or content that could
+# potentially be treated as executable by the browser.
+
+# http://www.slideshare.net/hasegawayosuke/owasp-hasegawa
+# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
+# http://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
+# https://mimesniff.spec.whatwg.org/
+
+
+ Header set X-Content-Type-Options "nosniff"
+
+
+# ----------------------------------------------------------------------
+# | Reflected Cross-Site Scripting (XSS) attacks |
+# ----------------------------------------------------------------------
+
+# (1) Try to re-enable the cross-site ccripting (XSS) filter built
+# into the most web browsers.
+#
+# The filter is usually enabled by default, but in some cases it
+# may be disabled by the user. However, in Internet Explorer for
+# example, it can be re-enabled just by sending the
+# `X-XSS-Protection` header with the value of `1`.
+#
+# (2) Prevent web browsers from rendering the web page if a potential
+# reflected (a.k.a non-persistent) XSS attack is detected by the
+# filter.
+#
+# By default, if the filter is enabled and browsers detect a
+# reflected XSS attack, they will attempt to block the attack
+# by making the smallest possible modifications to the returned
+# web page.
+#
+# Unfortunately, in some browsers (e.g.: Internet Explorer),
+# this default behavior may allow the XSS filter to be exploited,
+# thereby, it's better to tell browsers to prevent the rendering
+# of the page altogether, instead of attempting to modify it.
+#
+# http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
+#
+# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
+# you are taking all possible measures to prevent XSS attacks, the
+# most obvious being: validating and sanitizing your site's inputs.
+#
+# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
+# http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
+# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
+
+#
+
+# # (1) (2)
+# Header set X-XSS-Protection "1; mode=block"
+
+# # `mod_headers` cannot match based on the content-type, however,
+# # the `X-XSS-Protection` response header should be send only for
+# # HTML documents and not for the other resources.
+
+#
+# Header unset X-XSS-Protection
+#
+
+#
+
+# ----------------------------------------------------------------------
+# | Server software information |
+# ----------------------------------------------------------------------
+
+# Avoid displaying the exact Apache version number, the description
+# of the generic OS-type and the information about Apache's compiled-in
+# modules.
+
+# (!) The `ServerTokens` directive will only work in the main server
+# configuration file, so don't try to enable it in the `.htaccess` file!
+# https://httpd.apache.org/docs/current/mod/core.html#servertokens
# ServerTokens Prod
-# ##############################################################################
-# # WEB PERFORMANCE #
-# ##############################################################################
+# ######################################################################
+# # WEB PERFORMANCE #
+# ######################################################################
-# ------------------------------------------------------------------------------
-# | Compression |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Compression |
+# ----------------------------------------------------------------------
@@ -612,30 +671,31 @@ AddDefaultCharset utf-8
- # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- # Map certain file types to the specified encoding type in order to
- # make Apache serve them with the appropriate `Content-Encoding` HTTP
+ # Map certain file types to the specified encoding type in order
+ # to make Apache serve them with the appropriate `Content-Encoding`
# response header (this will NOT make Apache compress them!).
- # If the following file types wouldn't be served without the appropriate
- # `Content-Enable` HTTP response header, client applications (e.g.:
- # browsers) wouldn't know that they first need to uncompress the response,
- # and thus, wouldn't be able to understand the content.
+ # If the following file types wouldn't be served without the
+ # appropriate `Content-Enable` response header, client applications
+ # (e.g.: browsers) wouldn't know that they first need to uncompress
+ # the response, and thus, wouldn't be able to understand the content.
- # http://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
+ # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
AddEncoding gzip svgz
- # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Compress all output labeled with one of the following media types.
- # IMPORTANT: For Apache versions below 2.3.7 you don't need to enable
- # `mod_filter` and can remove the `` & ``
- # lines as `AddOutputFilterByType` is still in the core directives.
+ # (!) For Apache versions below 2.3.7 you don't need to enable
+ # `mod_filter` and can remove the `` and
+ # `` lines as `AddOutputFilterByType` is still in
+ # the core directives.
AddOutputFilterByType DEFLATE "application/atom+xml" \
@@ -667,20 +727,20 @@ AddDefaultCharset utf-8
-# ------------------------------------------------------------------------------
-# | Content transformation |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Content transformation |
+# ----------------------------------------------------------------------
# Prevent mobile network providers from modifying the website's content.
-# http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5.
+# https://tools.ietf.org/html/rfc2616#section-14.9.5
#
# Header merge Cache-Control "no-transform"
#
-# ------------------------------------------------------------------------------
-# | ETags |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | ETags |
+# ----------------------------------------------------------------------
# Remove `ETags` as resources are sent with far-future expires headers.
# https://developer.yahoo.com/performance/rules.html#etags
@@ -692,14 +752,15 @@ AddDefaultCharset utf-8
FileETag None
-# ------------------------------------------------------------------------------
-# | Expires headers |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | Expires headers |
+# ----------------------------------------------------------------------
# Serve resources with far-future expires headers.
-# IMPORTANT: If you don't control versioning with filename-based cache
-# busting, consider lowering the cache times to something like one week.
+# (!) If you don't control versioning with filename-based cache busting,
+# you should consider lowering the cache times (e.g.: to something like
+# one week).
@@ -735,7 +796,7 @@ FileETag None
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
- # Media
+ # Media files
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
@@ -759,105 +820,56 @@ FileETag None
-# ------------------------------------------------------------------------------
-# | Filename-based cache busting |
-# ------------------------------------------------------------------------------
-
-# If you're not using a build process to manage your filename version revving,
-# you might want to consider enabling the following directives to route all
-# requests such as `/css/style.12345.css` to `/css/style.css`.
-
-# To understand why this is important and a better idea than `*.css?v231`, read:
-# http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
-
-#
-# RewriteCond %{REQUEST_FILENAME} !-f
-# RewriteRule ^(.+)\.(\d+)\.(css|cur|gif|ico|jpe?g|js|png|svgz?|webp)$ $1.$3 [L]
-#
-
-# ------------------------------------------------------------------------------
-# | File concatenation |
-# ------------------------------------------------------------------------------
+# ----------------------------------------------------------------------
+# | File concatenation |
+# ----------------------------------------------------------------------
# Allow concatenation from within specific files.
-
+#
# e.g.:
#
-# If you have the following lines in a file called, for example,
-# `main.combined.js`:
+# If you have the following lines in a file called, for
+# example, `main.combined.js`:
#
#
#
#
-# Apache will replace those lines with the content of the specified files.
+# Apache will replace those lines with the content of the
+# specified files.
#
-#
+
#
# Options +Includes
-# AddOutputFilterByType INCLUDES application/javascript text/javascript
+# AddOutputFilterByType INCLUDES application/javascript \
+# text/javascript
# SetOutputFilter INCLUDES
#
-#
+
#
# Options +Includes
# AddOutputFilterByType INCLUDES text/css
# SetOutputFilter INCLUDES
#
-#
+
#
+# ----------------------------------------------------------------------
+# | Filename-based cache busting |
+# ----------------------------------------------------------------------
-# ##############################################################################
-# # MOBILE SPECIFIC #
-# ##############################################################################
+# If you're not using a build process to manage your filename version
+# revving, you might want to consider enabling the following directives
+# to route all requests such as `/style.12345.css` to `/style.css`.
-# Proper MIME types
-
-
-
- # Blackberry
- # http://docs.blackberry.com/en/developers/deliverables/18169/
- AddType application/x-bb-appworld bbaw
- AddType text/vnd.rim.location.xloc xloc
-
- # Nokia
- # http://www.developer.nokia.com/Community/Wiki/Apache_configuration_for_mobile_application_download
- # http://wiki.forum.nokia.com/index.php/How_to_enable_OTA_(Over_The_Air)_SIS_install_from_your_website
- AddType application/octet-stream sisx
- AddType application/vnd.symbian.install sis
-
-
-
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-# Prevent mobile transcoding
-
-#
-#
-# Header append Cache-Control "no-transform"
-# Header append Vary "User-Agent, Accept"
-#
-#
-
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-# Mobile Redirection Script is used to detect if user is viewing the site from
-# mobile device. If the script detects the user is viewing from mobile phone,
-# they will be redirected to the mobile version of the site. One thing to note
-# is that if you want to allow the user on the mobile version of your site to
-# have the option to switch to desktop version, you may consider using other
-# methods like JavaScript or PHP at http://detectmobilebrowser.com/.
-#
-# To use the script, first, uncomment the lines below, and second, change
-# 'http://www.example.com/mobile' to the URL of your mobile site.
+# To understand why this is important and even a better idea than using
+# something like `*.css?v231`, please see:
+# http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
#
-# RewriteEngine On
-# RewriteBase /
-# RewriteCond %{HTTP_USER_AGENT} android|avantgo|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)\/|plucker|pocket|psp|symbian|treo|up\.(browser|link)|vodafone|wap|windows\ (ce|phone)|xda|xiino [NC,OR]
-#RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1\ u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp(\ i|ip)|hs\-c|ht(c(\-|\ |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac(\ |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |\/)|klon|kpt\ |kwc\-|kyo(c|k)|le(no|xi)|lg(\ g|\/(k|l|u)|50|54|e\-|e\/|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(di|rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|xda(\-|2|g)|yas\-|your|zeto|zte\-) [NC]
-# RewriteRule ^$ http://www.example.com/mobile [R,L]
+# RewriteEngine On
+# RewriteCond %{REQUEST_FILENAME} !-f
+# RewriteRule ^(.+)\.(\d+)\.(css|cur|gif|ico|jpe?g|js|png|svgz?|webp)$ $1.$3 [L]
#