Permalink
Browse files

Upgrading to H5BP 3.0.2

  • Loading branch information...
1 parent 6502faf commit 7412dcece72ff833d61b8ec2e49529466083ec9c @DHS committed May 11, 2012
View
170 .htaccess
@@ -11,8 +11,8 @@
###
-### If you run a webserver other than apache, consider:
-### github.com/paulirish/html5-boilerplate-server-configs
+### If you run a webserver other than Apache, consider:
+### github.com/h5bp/server-configs
###
@@ -26,19 +26,19 @@
# Use ChromeFrame if it's installed for a better experience for the poor IE folk
<IfModule mod_headers.c>
- Header set X-UA-Compatible "IE=Edge,chrome=1"
- # mod_headers can't match by content-type, but we don't want to send this header on *everything*...
- <FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|xpi|safariextz|vcf)$" >
- Header unset X-UA-Compatible
- </FilesMatch>
+ Header set X-UA-Compatible "IE=Edge,chrome=1"
+ # mod_headers can't match by content-type, but we don't want to send this header on *everything*...
+ <FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
+ Header unset X-UA-Compatible
+ </FilesMatch>
</IfModule>
# ----------------------------------------------------------------------
# Cross-domain AJAX requests
# ----------------------------------------------------------------------
-# Serve cross-domain ajax requests, disabled.
+# Serve cross-domain Ajax requests, disabled by default.
# enable-cors.org
# code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
@@ -47,6 +47,26 @@
# </IfModule>
+# ----------------------------------------------------------------------
+# CORS-enabled images (@crossorigin)
+# ----------------------------------------------------------------------
+
+# Send CORS headers if browsers request them; enabled by default for images.
+# developer.mozilla.org/en/CORS_Enabled_Image
+# blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
+# hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
+# wiki.mozilla.org/Security/Reviews/crossoriginAttribute
+
+<IfModule mod_setenvif.c>
+ <IfModule mod_headers.c>
+ # mod_headers, y u no match by Content-Type?!
+ <FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
+ SetEnvIf Origin ":" IS_CORS
+ Header set Access-Control-Allow-Origin "*" env=IS_CORS
+ </FilesMatch>
+ </IfModule>
+</IfModule>
+
# ----------------------------------------------------------------------
# Webfont access
@@ -56,11 +76,11 @@
# Alternatively you could only whitelist your
# subdomains like "subdomain.example.com".
-<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
- <IfModule mod_headers.c>
+<IfModule mod_headers.c>
+ <FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css)$">
Header set Access-Control-Allow-Origin "*"
- </IfModule>
-</FilesMatch>
+ </FilesMatch>
+</IfModule>
@@ -83,27 +103,29 @@ AddType video/ogg ogv
AddType video/mp4 mp4 m4v
AddType video/webm webm
-# SVG.
+# SVG
# Required for svg webfonts on iPad
# twitter.com/FontSquirrel/status/14855840545
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# Webfonts
AddType application/vnd.ms-fontobject eot
-AddType application/x-font-ttf ttf ttc
+AddType application/x-font-ttf ttf ttc
AddType font/opentype otf
AddType application/x-font-woff woff
# Assorted types
-AddType image/x-icon ico
-AddType image/webp webp
-AddType text/cache-manifest appcache manifest
-AddType text/x-component htc
-AddType application/x-chrome-extension crx
-AddType application/x-xpinstall xpi
-AddType application/octet-stream safariextz
-AddType text/x-vcard vcf
+AddType image/x-icon ico
+AddType image/webp webp
+AddType text/cache-manifest appcache manifest
+AddType text/x-component htc
+AddType application/x-chrome-extension crx
+AddType application/x-opera-extension oex
+AddType application/x-xpinstall xpi
+AddType application/octet-stream safariextz
+AddType application/x-web-app-manifest+json webapp
+AddType text/x-vcard vcf
@@ -139,46 +161,47 @@ AddType text/x-vcard vcf
<IfModule mod_deflate.c>
-# Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
-<IfModule mod_setenvif.c>
- <IfModule mod_headers.c>
- SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
- RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
+ # Force deflate for mangled headers developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping/
+ <IfModule mod_setenvif.c>
+ <IfModule mod_headers.c>
+ SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
+ RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
+ </IfModule>
</IfModule>
-</IfModule>
-# HTML, TXT, CSS, JavaScript, JSON, XML, HTC:
-<IfModule filter_module>
- FilterDeclare COMPRESS
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/javascript
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject
- FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml
- FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf
- FilterProvider COMPRESS DEFLATE resp=Content-Type $font/opentype
- FilterChain COMPRESS
- FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no
-</IfModule>
+ # HTML, TXT, CSS, JavaScript, JSON, XML, HTC:
+ <IfModule filter_module>
+ FilterDeclare COMPRESS
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/html
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/css
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/plain
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $text/x-component
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/javascript
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/json
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/xhtml+xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/rss+xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/atom+xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/vnd.ms-fontobject
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $image/svg+xml
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $image/x-icon
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $application/x-font-ttf
+ FilterProvider COMPRESS DEFLATE resp=Content-Type $font/opentype
+ FilterChain COMPRESS
+ FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no
+ </IfModule>
-<IfModule !mod_filter.c>
- # Legacy versions of Apache
- AddOutputFilterByType DEFLATE text/html text/plain text/css application/json
- AddOutputFilterByType DEFLATE application/javascript
- AddOutputFilterByType DEFLATE text/xml application/xml text/x-component
- AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml
- AddOutputFilterByType DEFLATE image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype
-</IfModule>
-</IfModule>
+ <IfModule !mod_filter.c>
+ # Legacy versions of Apache
+ AddOutputFilterByType DEFLATE text/html text/plain text/css application/json
+ AddOutputFilterByType DEFLATE application/javascript
+ AddOutputFilterByType DEFLATE text/xml application/xml text/x-component
+ AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml
+ AddOutputFilterByType DEFLATE image/x-icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype
+ </IfModule>
+</IfModule>
# ----------------------------------------------------------------------
@@ -232,7 +255,7 @@ AddType text/x-vcard vcf
ExpiresByType text/x-component "access plus 1 month"
# Webfonts
- ExpiresByType font/truetype "access plus 1 month"
+ ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
@@ -242,10 +265,6 @@ AddType text/x-vcard vcf
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
- <IfModule mod_headers.c>
- Header append Cache-Control "public"
- </IfModule>
-
</IfModule>
@@ -360,7 +379,7 @@ FileETag None
# /css/style.20110203.css to /css/style.css
# To understand why this is important and a better idea than all.css?v1231,
-# read: github.com/paulirish/html5-boilerplate/wiki/Version-Control-with-Cachebusting
+# read: github.com/h5bp/html5-boilerplate/wiki/Version-Control-with-Cachebusting
# Uncomment to enable.
# <IfModule mod_rewrite.c>
@@ -414,7 +433,7 @@ ErrorDocument 404 /pages/show/404
AddDefaultCharset utf-8
# Force UTF-8 for a number of file formats
-AddCharset utf-8 .html .css .js .xml .json .rss .atom
+AddCharset utf-8 .css .js .xml .json .rss .atom
@@ -432,12 +451,16 @@ AddCharset utf-8 .html .css .js .xml .json .rss .atom
# "-Indexes" will have Apache block users from browsing folders without a default document
# Usually you should leave this activated, because you shouldn't allow everybody to surf through
# every folder on your server (which includes rather private places like CMS system folders).
-Options -Indexes
+<IfModule mod_autoindex.c>
+ Options -Indexes
+</IfModule>
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or Git.
<IfModule mod_rewrite.c>
+ RewriteCond %{SCRIPT_FILENAME} -d
+ RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
</IfModule>
@@ -448,6 +471,15 @@ Options -Indexes
RewriteRule ^(.*)$ index.php
</IfModule>
+# Block access to backup and source files
+# This files may be left by some text/html editors and
+# pose a great security danger, when someone can access them
+<FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
+ Order allow,deny
+ Deny from all
+ Satisfy All
+</FilesMatch>
+
# If your server is not already configured as such, the following directive
# should be uncommented in order to set PHP's register_globals option to OFF.
@@ -464,10 +496,10 @@ Options -Indexes
# reset everything to PHP defaults. Consult www.php.net for more detailed
# information about setting PHP directives.
-# php_flag register_globals Off
+php_flag register_globals Off
# Rename session cookie to something else, than PHPSESSID
-# php_value session.name sid
+php_value session.name sid
# Do not show you are using PHP
# Note: Move this line to php.ini since it won't work in .htaccess
@@ -506,5 +538,5 @@ Options -Indexes
# Increase cookie security
<IfModule php5_module>
- php_value session.cookie_httponly true
+ php_value session.cookie_httponly true
</IfModule>
View
@@ -15,3 +15,29 @@
Standards: HTML5, CSS3
Components: Modernizr, jQuery
Software:
+
+
+
+ -o/-
+ +oo//-
+ :ooo+//:
+ -ooooo///-
+ /oooooo//:
+ :ooooooo+//-
+ -+oooooooo///-
+ -://////////////+oooooooooo++////////////::
+ :+ooooooooooooooooooooooooooooooooooooo+:::-
+ -/+ooooooooooooooooooooooooooooooo+/::////:-
+ -:+oooooooooooooooooooooooooooo/::///////:-
+ --/+ooooooooooooooooooooo+::://////:-
+ -:+ooooooooooooooooo+:://////:--
+ /ooooooooooooooooo+//////:-
+ -ooooooooooooooooooo////-
+ /ooooooooo+oooooooooo//:
+ :ooooooo+/::/+oooooooo+//-
+ -oooooo/::///////+oooooo///-
+ /ooo+::://////:---:/+oooo//:
+ -o+/::///////:- -:/+o+//-
+ :-:///////:- -:/://
+ -////:- --//:
+ -- -:

Large diffs are not rendered by default.

Oops, something went wrong.
Oops, something went wrong.

0 comments on commit 7412dce

Please sign in to comment.