Last active
April 7, 2017 07:14
-
-
Save jefrydco/748d54f9713139a08c5a363f7bc1845b to your computer and use it in GitHub Desktop.
I think this htaccess configuration is the best one.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Serve all resources labeled as `text/html` or `text/plain` | |
| # with the media type `charset` parameter set to `UTF-8`. | |
| AddDefaultCharset utf-8 | |
| # Disable the pattern matching based on filenames. | |
| Options -MultiViews | |
| # Enabling keep-alive connection | |
| <ifModule mod_headers.c> | |
| Header set Connection keep-alive | |
| </ifModule> | |
| # Block Libwww-perl Access | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{HTTP_USER_AGENT} libwww-perl.* | |
| RewriteRule .* ? [F,L] | |
| </IfModule> | |
| # Block access to directories without a default document. | |
| <IfModule mod_autoindex.c> | |
| Options -Indexes | |
| </IfModule> | |
| # Cross-origin Image | |
| <IfModule mod_setenvif.c> | |
| <IfModule mod_headers.c> | |
| <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$"> | |
| SetEnvIf Origin ":" IS_CORS | |
| Header set Access-Control-Allow-Origin "*" env=IS_CORS | |
| </FilesMatch> | |
| </IfModule> | |
| </IfModule> | |
| # Cross-origin Web Fonts | |
| <IfModule mod_headers.c> | |
| <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$"> | |
| Header set Access-Control-Allow-Origin "*" | |
| </FilesMatch> | |
| </IfModule> | |
| # Force Internet Explorer 8/9/10 to render pages in the highest mode | |
| # available in the various cases when it may not. | |
| <IfModule mod_headers.c> | |
| Header set X-UA-Compatible "IE=edge" | |
| <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
| Header unset X-UA-Compatible | |
| </FilesMatch> | |
| </IfModule> | |
| # Rewrite engine | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| Options +FollowSymlinks | |
| RewriteCond %{HTTPS} =on | |
| RewriteRule ^ - [env=proto:https] | |
| RewriteCond %{HTTPS} !=on | |
| RewriteRule ^ - [env=proto:http] | |
| </IfModule> | |
| # Redirect from the `http://` to the `https://` version of the URL and force non-www. | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| # Match any URL with www and rewrite it to https without the www. | |
| RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC] | |
| RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301] | |
| # Match urls that are non https (without the www). | |
| RewriteCond %{HTTPS} off | |
| RewriteCond %{HTTP_HOST} !^(www\.)(.*) [NC] | |
| RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] | |
| </IfModule> | |
| # Block access to all hidden files and directories with the exception of | |
| # the visible content from within the `/.well-known/` hidden directory. | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] | |
| RewriteCond %{SCRIPT_FILENAME} -d [OR] | |
| RewriteCond %{SCRIPT_FILENAME} -f | |
| RewriteRule "(^|/)\." - [F] | |
| </IfModule> | |
| # Block access to files that can expose sensitive information. | |
| <FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$"> | |
| # Apache < 2.3 | |
| <IfModule !mod_authz_core.c> | |
| Order allow,deny | |
| Deny from all | |
| Satisfy All | |
| </IfModule> | |
| # Apache ≥ 2.3 | |
| <IfModule mod_authz_core.c> | |
| Require all denied | |
| </IfModule> | |
| </FilesMatch> | |
| # Force client-side SSL redirection. | |
| <IfModule mod_headers.c> | |
| Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" | |
| </IfModule> | |
| # Prevent some browsers from MIME-sniffing the response. | |
| <IfModule mod_headers.c> | |
| Header set X-Content-Type-Options "nosniff" | |
| </IfModule> | |
| # Remove the `X-Powered-By` response header. | |
| <IfModule mod_headers.c> | |
| Header unset X-Powered-By | |
| </IfModule> | |
| # Prevent Apache from adding a trailing footer line containing | |
| # information about the server to the server-generated documents | |
| # (e.g.: error messages, directory listings, etc.) | |
| ServerSignature Off | |
| # Mitigate the risk of cross-site scripting and other content-injection | |
| # attacks. | |
| <IfModule mod_headers.c> | |
| # Header set Content-Security-Policy "script-src 'self'; object-src 'self'" | |
| Header set Content-Security-Policy "default-src https:; script-src https: 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data: 'unsafe-inline'" | |
| <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
| Header unset Content-Security-Policy | |
| </FilesMatch> | |
| </IfModule> | |
| # Serve the following file types with the media type `charset` | |
| # parameter set to `UTF-8`. | |
| <IfModule mod_mime.c> | |
| AddCharset utf-8 .atom \ | |
| .bbaw \ | |
| .css \ | |
| .geojson \ | |
| .js \ | |
| .json \ | |
| .jsonld \ | |
| .manifest \ | |
| .rdf \ | |
| .rss \ | |
| .topojson \ | |
| .vtt \ | |
| .webapp \ | |
| .webmanifest \ | |
| .xloc \ | |
| .xml | |
| </IfModule> | |
| # Re-enable the cross-site scripting (XSS) filter built | |
| # into most web browsers. | |
| <IfModule mod_headers.c> | |
| Header set X-XSS-Protection "1; mode=block" | |
| <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
| Header unset X-XSS-Protection | |
| </FilesMatch> | |
| </IfModule> | |
| # Protect website against clickjacking. | |
| <IfModule mod_headers.c> | |
| Header set X-Frame-Options "DENY" | |
| <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$"> | |
| Header unset X-Frame-Options | |
| </FilesMatch> | |
| </IfModule> | |
| # Serve resources with the proper media types (f.k.a. MIME types). | |
| <IfModule mod_mime.c> | |
| # Data interchange | |
| AddType application/atom+xml atom | |
| AddType application/json json map topojson | |
| AddType application/ld+json jsonld | |
| AddType application/rss+xml rss | |
| AddType application/vnd.geo+json geojson | |
| AddType application/xml rdf xml | |
| # JavaScript | |
| # Normalize to standard type. | |
| # https://tools.ietf.org/html/rfc4329#section-7.2 | |
| AddType application/javascript js | |
| # Manifest files | |
| AddType application/manifest+json webmanifest | |
| AddType application/x-web-app-manifest+json webapp | |
| AddType text/cache-manifest appcache | |
| # Media files | |
| AddType audio/mp4 f4a f4b m4a | |
| AddType audio/ogg oga ogg opus | |
| AddType image/bmp bmp | |
| AddType image/svg+xml svg svgz | |
| AddType image/webp webp | |
| AddType video/mp4 f4v f4p m4v mp4 | |
| AddType video/ogg ogv | |
| AddType video/webm webm | |
| AddType video/x-flv flv | |
| AddType image/x-icon cur ico | |
| # Web fonts | |
| AddType application/font-woff woff | |
| AddType application/font-woff2 woff2 | |
| AddType application/vnd.ms-fontobject eot | |
| AddType application/x-font-ttf ttc ttf | |
| AddType font/opentype otf | |
| # Other | |
| AddType application/octet-stream safariextz | |
| AddType application/x-bb-appworld bbaw | |
| AddType application/x-chrome-extension crx | |
| AddType application/x-opera-extension oex | |
| AddType application/x-xpinstall xpi | |
| AddType text/vcard vcard vcf | |
| AddType text/vnd.rim.location.xloc xloc | |
| AddType text/vtt vtt | |
| AddType text/x-component htc | |
| </IfModule> | |
| # Gzip Compression | |
| <IfModule mod_deflate.c> | |
| # Force compression for mangled `Accept-Encoding` request headers | |
| <IfModule mod_setenvif.c> | |
| <IfModule mod_headers.c> | |
| SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding | |
| RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding | |
| </IfModule> | |
| </IfModule> | |
| # Compress all output labeled with one of the following media types. | |
| <IfModule mod_filter.c> | |
| AddOutputFilterByType DEFLATE "application/atom+xml" \ | |
| "application/javascript" \ | |
| "application/json" \ | |
| "application/ld+json" \ | |
| "application/manifest+json" \ | |
| "application/rdf+xml" \ | |
| "application/rss+xml" \ | |
| "application/schema+json" \ | |
| "application/vnd.geo+json" \ | |
| "application/vnd.ms-fontobject" \ | |
| "application/x-font-ttf" \ | |
| "application/x-javascript" \ | |
| "application/x-web-app-manifest+json" \ | |
| "application/xhtml+xml" \ | |
| "application/xml" \ | |
| "font/eot" \ | |
| "font/opentype" \ | |
| "image/bmp" \ | |
| "image/svg+xml" \ | |
| "image/vnd.microsoft.icon" \ | |
| "image/x-icon" \ | |
| "text/cache-manifest" \ | |
| "text/css" \ | |
| "text/html" \ | |
| "text/javascript" \ | |
| "text/plain" \ | |
| "text/vcard" \ | |
| "text/vnd.rim.location.xloc" \ | |
| "text/vtt" \ | |
| "text/x-component" \ | |
| "text/x-cross-domain-policy" \ | |
| "text/xml" | |
| </IfModule> | |
| <IfModule mod_mime.c> | |
| AddEncoding gzip svgz | |
| </IfModule> | |
| </IfModule> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment