diff --git a/_src/.htaccess b/_src/.htaccess
index f81fb579..29ebb5e8 100644
--- a/_src/.htaccess
+++ b/_src/.htaccess
@@ -1,6 +1,6 @@
# BEGIN HTML5 Boilerplate
-# Apache Server Configs v2.11.0 | MIT License
+# Apache Server Configs v2.14.0 | MIT License
# https://github.com/h5bp/server-configs-apache
# (!) Using `.htaccess` files slows down Apache, therefore, if you have
@@ -18,7 +18,7 @@
# ----------------------------------------------------------------------
# Allow cross-origin requests.
-
+#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# http://enable-cors.org/
# http://www.w3.org/TR/cors/
@@ -116,20 +116,26 @@ Options -MultiViews
#
# https://hsivonen.fi/doctype/#ie8
#
-# (!) Starting with Internet Explorer 11, document modes are deprecated
-# and should no longer be used.
+# (!) Starting with Internet Explorer 11, document modes are deprecated.
+# If your business still relies on older web apps and services that were
+# designed for older versions of Internet Explorer, you might want to
+# consider enabling `Enterprise Mode` throughout your company.
#
-# http://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
+# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
# http://blogs.msdn.com/b/ie/archive/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx
+
Header set X-UA-Compatible "IE=edge"
+
# `mod_headers` cannot match based on the content-type, however,
# the `X-UA-Compatible` response header should be send only for
# HTML documents and not for the other resources.
-
+
+
Header unset X-UA-Compatible
+
# ----------------------------------------------------------------------
@@ -138,7 +144,7 @@ Options -MultiViews
# Allow cookies to be set from iframes in Internet Explorer.
#
-# http://msdn.microsoft.com/en-us/library/ms537343.aspx
+# https://msdn.microsoft.com/en-us/library/ms537343.aspx
# http://www.w3.org/TR/2000/CR-P3P-20001215/
#
@@ -163,10 +169,12 @@ Options -MultiViews
# Data interchange
+ AddType application/atom+xml atom
AddType application/json json map topojson
AddType application/ld+json jsonld
+ AddType application/rss+xml rss
AddType application/vnd.geo+json geojson
- AddType application/xml atom rdf rss xml
+ AddType application/xml rdf xml
# JavaScript
@@ -179,39 +187,9 @@ Options -MultiViews
# Manifest files
- # If you are providing a web application manifest file (see
- # the specification: https://w3c.github.io/manifest/), it is
- # recommended that you serve it with the `application/manifest+json`
- # media type.
- #
- # Because the web application manifest file doesn't have its
- # own unique file extension, you can set its media type either
- # by matching:
- #
- # 1) the exact location of the file (this can be done using a
- # directive such as ``, but it will NOT work in
- # the `.htaccess` file, so you will have to do it in the main
- # server configuration file or inside of a ``
- # container)
- #
- # e.g.:
- #
- #
- # AddType application/manifest+json json
- #
- #
- # 2) the filename (this can be problematic as you will need to
- # ensure that you don't have any other file with the same name
- # as the one you gave to your web application manifest file)
- #
- # e.g.:
- #
- #
- # AddType application/manifest+json json
- #
-
+ AddType application/manifest+json webmanifest
AddType application/x-web-app-manifest+json webapp
- AddType text/cache-manifest appcache manifest
+ AddType text/cache-manifest appcache
# Media files
@@ -219,13 +197,12 @@ Options -MultiViews
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
AddType image/bmp bmp
+ AddType image/svg+xml svg svgz
AddType image/webp webp
- AddType image/x-icon cur ico
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
- AddType image/svg+xml svg svgz
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying then as images:
@@ -292,11 +269,13 @@ AddDefaultCharset utf-8
.js \
.json \
.jsonld \
+ .manifest \
.rdf \
.rss \
.topojson \
.vtt \
.webapp \
+ .webmanifest \
.xloc \
.xml
@@ -328,7 +307,7 @@ AddDefaultCharset utf-8
#
# (4) Some cloud hosting services will require you set `RewriteBase`.
#
-# http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
+# https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
#
# (5) Depending on how your server is set up, you may also need to
@@ -336,6 +315,9 @@ AddDefaultCharset utf-8
# the rewrite engine.
#
# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
+#
+# (6) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
+# appropriate schema automatically (http or https).
@@ -354,6 +336,12 @@ AddDefaultCharset utf-8
# (5)
# RewriteOptions
+ # (6)
+ # RewriteCond %{HTTPS} =on
+ # RewriteRule ^ - [env=proto:https]
+ # RewriteCond %{HTTPS} !=on
+ # RewriteRule ^ - [env=proto:http]
+
# ----------------------------------------------------------------------
@@ -395,7 +383,7 @@ AddDefaultCharset utf-8
# RewriteEngine On
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
-# RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
+# RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
@@ -411,7 +399,7 @@ AddDefaultCharset utf-8
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteCond %{SERVER_ADDR} !=127.0.0.1
# RewriteCond %{SERVER_ADDR} !=::1
-# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+# RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#
@@ -454,13 +442,17 @@ AddDefaultCharset utf-8
# https://www.owasp.org/index.php/Clickjacking
#
+
# Header set X-Frame-Options "DENY"
+
# # `mod_headers` cannot match based on the content-type, however,
# # the `X-Frame-Options` response header should be send only for
# # HTML documents and not for the other resources.
-#
+
+#
# Header unset X-Frame-Options
#
+
#
# ----------------------------------------------------------------------
@@ -473,24 +465,29 @@ AddDefaultCharset utf-8
# This can be done by setting a `Content Security Policy` which
# whitelists trusted sources of content for your website.
#
-# The example header below allows ONLY scripts that are loaded from the
-# current website's origin (no inline scripts, no CDN, etc). That almost
-# certainly won't work as-is for your website!
+# The example header below allows ONLY scripts that are loaded from
+# the current website's origin (no inline scripts, no CDN, etc).
+# That almost certainly won't work as-is for your website!
#
-# For more details on how to craft a reasonable policy for your website,
-# read: http://www.html5rocks.com/en/tutorials/security/content-security-policy/
-# (or the specification: http://www.w3.org/TR/CSP11/). Also, to make
-# things easier, you can use an online CSP header generator such as:
-# http://cspisawesome.com/.
+# To make things easier, you can use an online CSP header generator
+# such as: http://cspisawesome.com/.
+#
+# http://content-security-policy.com/
+# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
+# http://www.w3.org/TR/CSP11/).
#
+
# Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
+
# # `mod_headers` cannot match based on the content-type, however,
# # the `Content-Security-Policy` response header should be send
# # only for HTML documents and not for the other resources.
-#
+
+#
# Header unset Content-Security-Policy
#
+
#
# ----------------------------------------------------------------------
@@ -587,11 +584,8 @@ AddDefaultCharset utf-8
# http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitigations-deployment-https.aspx
#
-# Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
+# Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
#
-
- Header set Strict-Transport-Security "max-age=16070400"
-
# ----------------------------------------------------------------------
# | Reducing MIME type security risks |
@@ -606,7 +600,7 @@ AddDefaultCharset utf-8
#
# http://www.slideshare.net/hasegawayosuke/owasp-hasegawa
# http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
-# http://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
+# https://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
# https://mimesniff.spec.whatwg.org/
@@ -639,7 +633,7 @@ AddDefaultCharset utf-8
# thereby, it's better to inform browsers to prevent the rendering
# of the page altogether, instead of attempting to modify it.
#
-# http://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
+# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
#
# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
# you are taking all possible measures to prevent XSS attacks, the
@@ -650,20 +644,58 @@ AddDefaultCharset utf-8
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
#
+
# # (1) (2)
# Header set X-XSS-Protection "1; mode=block"
+
# # `mod_headers` cannot match based on the content-type, however,
# # the `X-XSS-Protection` response header should be send only for
# # HTML documents and not for the other resources.
-#
+
+#
# Header unset X-XSS-Protection
#
+
#
+# ----------------------------------------------------------------------
+# | Server-side technology information |
+# ----------------------------------------------------------------------
+
+# Remove the `X-Powered-By` response header that:
+#
+# * is set by some frameworks and server-side languages
+# (e.g.: ASP.NET, PHP), and its value contains information
+# about them (e.g.: their name, version number)
+#
+# * doesn't provide any value as far as users are concern,
+# and in some cases, the information provided by it can
+# be used by attackers
+#
+# (!) If you can, you should disable the `X-Powered-By` header from the
+# language / framework level (e.g.: for PHP, you can do that by setting
+# `expose_php = off` in `php.ini`)
+#
+# https://php.net/manual/en/ini.core.php#ini.expose-php
+
+
+ Header unset X-Powered-By
+
+
# ----------------------------------------------------------------------
# | Server software information |
# ----------------------------------------------------------------------
+# Prevent Apache from adding a trailing footer line containing
+# information about the server to the server-generated documents
+# (e.g.: error messages, directory listings, etc.)
+#
+# https://httpd.apache.org/docs/current/mod/core.html#serversignature
+
+ServerSignature Off
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
# Prevent Apache from sending in the `Server` response header its
# exact version number, the description of the generic OS-type or
# information about its compiled-in modules.
@@ -673,7 +705,7 @@ AddDefaultCharset utf-8
#
# https://httpd.apache.org/docs/current/mod/core.html#servertokens
-# ServerTokens Prod
+#ServerTokens Prod
# ######################################################################
@@ -820,9 +852,12 @@ FileETag None
ExpiresDefault "access plus 1 month"
# CSS
+
ExpiresByType text/css "access plus 1 year"
+
# Data interchange
+
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
@@ -834,35 +869,45 @@ FileETag None
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
+
# Favicon (cannot be renamed!) and cursor images
+
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
# HTML
+
ExpiresByType text/html "access plus 0 seconds"
+
# JavaScript
+
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
- # Manifest files
- ExpiresByType application/manifest+json "access plus 1 year"
+ # Manifest files
+
+ ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
+
# Media files
+
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
+ ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
+
# Web fonts
# Embedded OpenType (EOT)
@@ -883,7 +928,9 @@ FileETag None
# Web Open Font Format (WOFF) 2.0
ExpiresByType application/font-woff2 "access plus 1 month"
- # Other
+
+ # Other
+
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
@@ -935,7 +982,7 @@ FileETag None
#
# RewriteEngine On
# RewriteCond %{REQUEST_FILENAME} !-f
-# RewriteRule ^(.+)\.(\d+)\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp)$ $1.$3 [L]
+# RewriteRule ^(.+)\.(\d+)\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp|webmanifest)$ $1.$3 [L]
#
@@ -967,4 +1014,4 @@ FileETag None
Redirect 301 /lab http://lab.kremalicious.com
Redirect 301 /csspaperstack /lab/csspaperstack
Redirect 301 /download /media
-Redirect 301 /portfolio https://matthiaskretschmann.com
\ No newline at end of file
+Redirect 301 /portfolio https://matthiaskretschmann.com
diff --git a/_src/feed/index.xml b/_src/feed/index.xml
index f910515c..7c2847b6 100644
--- a/_src/feed/index.xml
+++ b/_src/feed/index.xml
@@ -7,23 +7,23 @@ redirect_from:
- {{ site.name }}
+ {{ site.name | xml_escape }}{{ site.time | date_to_xmlschema }}{{ site.url }}
- {{ site.author }}
+ {{ site.author | xml_escape}}{{ site.email }}
{% for post in site.posts limit:100 %}
{% if post.layout == "link" %}
- {{ post.title | escape | titlecase }} →
+ {{ post.title | xml_escape | titlecase }} →
{% else %}
- {{ post.title | escape | titlecase }}
+ {{ post.title | xml_escape | titlecase }}
{% endif %}
@@ -35,7 +35,7 @@ redirect_from:
{{ post.date | date_to_xmlschema }}
{% endif %}
- {{ site.url }}{{ post.url | escape }}
+ {{ site.url }}{{ post.url }}
{% if post.image %}
<img src="{{ site.url }}/media/{{ post.image }}" />
@@ -44,10 +44,10 @@ redirect_from:
{{ post.content | xml_escape }}
{% if post.layout == "link" %}
- <a href="{{ post.linkurl | escape }}">Go to source »</a> <br />
- <a href="{{ site.url }}{{ post.url | escape }}" title="Permalink for this post">∞</a>
+ <a href="{{ post.linkurl }}">Go to source »</a> <br />
+ <a href="{{ site.url }}{{ post.url }}" title="Permalink for this post">∞</a>
{% endif %}
{% endfor %}
-
\ No newline at end of file
+