Full documentation review

httpd.conf

@@ -1,13 +1,13 @@
 # Configuration File - Apache Server Configs
 # https://httpd.apache.org/docs/current/
 
-# Sets the top of the directory tree under which the server's
-# configuration, error, and log files are kept.
+# Sets the top of the directory tree under which the server's configuration,
+# error, and log files are kept.
 # Do not add a slash at the end of the directory path.
-# If you point ServerRoot at a non-local disk, be sure to specify
-# a local disk on the Mutex directive, if file-based mutexes are used.
-# If you wish to share the same ServerRoot for multiple httpd daemons,
-# you will need to change at least PidFile.
+# If you point ServerRoot at a non-local disk, be sure to specify a local disk
+# on the Mutex directive, if file-based mutexes are used.
+# If you wish to share the same ServerRoot for multiple httpd daemons, you will
+# need to change at least PidFile.
 # https://httpd.apache.org/docs/current/mod/core.html#serverroot
 ServerRoot "/usr/local/apache2"
 
@@ -66,15 +66,15 @@ LogLevel warn
     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
 
     # The location and format of the access logfile.
-    # If you *do* define per-<VirtualHost> access logfiles, transactions will be
-    # logged therein and *not* in this file.
+    # If you *do* define per-<VirtualHost> access logfiles, transactions will
+    # be logged therein and *not* in this file.
     # https://httpd.apache.org/docs/current/mod/mod_log_config.html#customlog
     CustomLog logs/access.log combined
 </IfModule>
 
-# Prevent Apache from sending in the `Server` response header its
-# exact version number, the description of the generic OS-type or
-# information about its compiled-in modules.
+# Prevent Apache from sending its version number, the description of the
+# generic OS-type or information about its compiled-in modules in the "Server"
+# response header.
 # https://httpd.apache.org/docs/current/mod/core.html#servertokens
 ServerTokens Prod
 Include h5bp/security/server_software_information.conf
@@ -122,12 +122,11 @@ Include h5bp/media_types/media_types.conf
 # Set character encodings.
 Include h5bp/media_types/character_encodings.conf
 
-# On systems that support it, memory-mapping or the sendfile
-# syscall may be used to deliver files.
-# This usually improves server performance, but must
-# be turned off when serving from networked-mounted
-# filesystems or if support for these functions is otherwise
-# broken on your system.
+# On systems that support it, memory-mapping or the sendfile syscall may be
+# used to deliver files.
+# This usually improves server performance, but must be turned off when serving
+# from networked-mounted filesystems or if support for these functions is
+# otherwise broken on your system.
 # Defaults: EnableMMAP On, EnableSendfile Off
 # https://httpd.apache.org/docs/current/mod/core.html#enablemmap
 # https://httpd.apache.org/docs/current/mod/core.html#enablesendfile

src/cross-origin/requests.conf

@@ -8,6 +8,13 @@
 # https://enable-cors.org/
 # https://www.w3.org/TR/cors/
 
+# (!) Do not use this without understanding the consequences.
+#     This will permit access from any other website.
+#     Instead of using this file, consider using a specific rule such as
+#     allowing access based on (sub)domain:
+#
+#         Header set Access-Control-Allow-Origin "subdomain.example.com"
+
 <IfModule mod_headers.c>
     Header set Access-Control-Allow-Origin "*"
 </IfModule>

src/cross-origin/resource_timing.conf

@@ -4,10 +4,9 @@
 
 # Allow cross-origin access to the timing information for all resources.
 #
-# If a resource isn't served with a `Timing-Allow-Origin` header that
-# would allow its timing information to be shared with the document,
-# some of the attributes of the `PerformanceResourceTiming` object will
-# be set to zero.
+# If a resource isn't served with a `Timing-Allow-Origin` header that would
+# allow its timing information to be shared with the document, some of the
+# attributes of the `PerformanceResourceTiming` object will be set to zero.
 #
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
 # https://www.w3.org/TR/resource-timing/

src/errors/error_prevention.conf

@@ -4,8 +4,8 @@
 
 # Disable the pattern matching based on filenames.
 #
-# This setting prevents Apache from returning a 404 error as the result
-# of a rewrite when the directory with the same name does not exist.
+# This setting prevents Apache from returning a 404 error as the result of a
+# rewrite when the directory with the same name does not exist.
 #
 # https://httpd.apache.org/docs/current/content-negotiation.html#multiviews
 

src/internet_explorer/x-ua-compatible.conf

@@ -8,9 +8,9 @@
 # https://hsivonen.fi/doctype/#ie8
 #
 # (!) Starting with Internet Explorer 11, document modes are deprecated.
-# If your business still relies on older web apps and services that were
-# designed for older versions of Internet Explorer, you might want to
-# consider enabling `Enterprise Mode` throughout your company.
+#     If your business still relies on older web apps and services that were
+#     designed for older versions of Internet Explorer, you might want to
+#     consider enabling `Enterprise Mode` throughout your company.
 #
 # https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
 # https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/

src/media_types/character_encodings.conf

@@ -2,17 +2,17 @@
 # | Character encodings                                                |
 # ----------------------------------------------------------------------
 
-# Serve all resources labeled as `text/html` or `text/plain`
-# with the media type `charset` parameter set to `UTF-8`.
+# Serve all resources labeled as `text/html` or `text/plain` with the media type
+# `charset` parameter set to `UTF-8`.
 #
 # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
 
 AddDefaultCharset utf-8
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
-# Serve the following file types with the media type `charset`
-# parameter set to `UTF-8`.
+# Serve the following file types with the media type `charset` parameter set to
+# `UTF-8`.
 #
 # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
 

src/media_types/media_types.conf

@@ -47,8 +47,8 @@
     AddType video/webm                                  webm
     AddType video/x-flv                                 flv
 
-    # Serving `.ico` image files with a different media type
-    # prevents Internet Explorer from displaying them as images:
+    # Serving `.ico` image files with a different media type prevents
+    # Internet Explorer from displaying them as images:
     # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
 
     AddType image/x-icon                                cur ico

src/rewrites/rewrite_engine.conf

@@ -2,19 +2,19 @@
 # | Rewrite engine                                                     |
 # ----------------------------------------------------------------------
 
-# (1) Turn on the rewrite engine (this is necessary in order for
-#     the `RewriteRule` directives to work).
+# (1) Turn on the rewrite engine (this is necessary in order for the
+#     `RewriteRule` directives to work).
 #
 #     https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
 #
 # (2) Enable the `FollowSymLinks` option if it isn't already.
 #
 #     https://httpd.apache.org/docs/current/mod/core.html#options
 #
-# (3) If your web host doesn't allow the `FollowSymlinks` option,
-#     you need to comment it out or remove it, and then uncomment
-#     the `Options +SymLinksIfOwnerMatch` line (4), but be aware
-#     of the performance impact.
+# (3) If your web host doesn't allow the `FollowSymlinks` option, you need to
+#     comment it out or remove it, and then uncomment the
+#     `Options +SymLinksIfOwnerMatch` line (4), but be aware of the performance
+#     impact.
 #
 #     https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
 #
@@ -23,9 +23,8 @@
 #     https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
 #     https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
 #
-# (5) Depending on how your server is set up, you may also need to
-#     use the `RewriteOptions` directive to enable some options for
-#     the rewrite engine.
+# (5) Depending on how your server is set up, you may also need to use the
+#     `RewriteOptions` directive to enable some options for the rewrite engine.
 #
 #     https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
 

src/rewrites/rewrite_http_to_https.conf

@@ -6,10 +6,9 @@
 #
 # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
 
-# (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot
-#     method it will fail to validate the certificate if validation
-#     requests are redirected to HTTPS. Turn on the condition(s)
-#     you need.
+# (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot method it
+#     will fail to validate the certificate if validation requests are
+#     redirected to HTTPS. Turn on the condition(s) you need.
 #
 #     https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
 #     https://tools.ietf.org/html/draft-ietf-acme-acme-12

src/rewrites/rewrite_nowww.conf

@@ -4,21 +4,20 @@
 
 # Rewrite www.example.com → example.com
 
-# The same content should never be available under two different
-# URLs, especially not with and without `www.` at the beginning.
-# This can cause SEO problems (duplicate content), and therefore,
-# you should choose one of the alternatives and redirect the other
-# one.
+# The same content should never be available under two different URLs,
+# especially not with and without `www.` at the beginning.
+# This can cause SEO problems (duplicate content), and therefore, you should
+# choose one of the alternatives and redirect the other one.
 #
 # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
 
 # (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
 #     appropriate schema automatically (http or https).
 #
-# (2) The rule assumes by default that both HTTP and HTTPS
-#     environments are available for redirection.
-#     If your SSL certificate could not handle one of the domains
-#     used during redirection, you should turn the condition on.
+# (2) The rule assumes by default that both HTTP and HTTPS environments are
+#     available for redirection.
+#     If your SSL certificate could not handle one of the domains used during
+#     redirection, you should turn the condition on.
 #
 #     https://github.com/h5bp/server-configs-apache/issues/52
 

src/rewrites/rewrite_www.conf

@@ -4,21 +4,20 @@
 
 # Rewrite example.com → www.example.com
 
-# The same content should never be available under two different
-# URLs, especially not with and without `www.` at the beginning.
-# This can cause SEO problems (duplicate content), and therefore,
-# you should choose one of the alternatives and redirect the other
-# one.
+# The same content should never be available under two different URLs,
+# especially not with and without `www.` at the beginning.
+# This can cause SEO problems (duplicate content), and therefore, you should
+# choose one of the alternatives and redirect the other one.
 #
 # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
 
 # (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
 #     appropriate schema automatically (http or https).
 #
-# (2) The rule assumes by default that both HTTP and HTTPS
-#     environments are available for redirection.
-#     If your SSL certificate could not handle one of the domains
-#     used during redirection, you should turn the condition on.
+# (2) The rule assumes by default that both HTTP and HTTPS environments are
+#     available for redirection.
+#     If your SSL certificate could not handle one of the domains used during
+#     redirection, you should turn the condition on.
 #
 #     https://github.com/h5bp/server-configs-apache/issues/52
 

src/security/content-security-policy.conf

@@ -5,54 +5,53 @@
 # Mitigate the risk of cross-site scripting and other content-injection
 # attacks.
 #
-# This can be done by setting a `Content Security Policy` which
-# whitelists trusted sources of content for your website.
+# This can be done by setting a `Content Security Policy` which whitelists
+# trusted sources of content for your website.
 #
-# There is no policy that fits all websites, you will have to modify
-# the `Content-Security-Policy` directives in the example depending
-# on your needs.
+# There is no policy that fits all websites, you will have to modify the
+# `Content-Security-Policy` directives in the example depending on your needs.
 #
 # The example policy below aims to:
 #
-#  (1) Restrict all fetches by default to the origin of the current website
-#      by setting the `default-src` directive to `'self'` - which acts as a
+#  (1) Restrict all fetches by default to the origin of the current website by
+#      setting the `default-src` directive to `'self'` - which acts as a
 #      fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive).
 #
 #      This is convenient as you do not have to specify all Fetch directives
 #      that apply to your site, for example:
 #      `connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'`, etc.
 #
-#      This restriction also means that you must explicitly define from
-#      which site(s) your website is allowed to load resources from.
+#      This restriction also means that you must explicitly define from which
+#      site(s) your website is allowed to load resources from.
 #
-#  (2) The `<base>` element is not allowed on the website. This is to
-#      prevent attackers from changing the locations of resources loaded
-#      from relative URLs.
+#  (2) The `<base>` element is not allowed on the website. This is to prevent
+#      attackers from changing the locations of resources loaded from relative
+#      URLs.
 #
-#      If you want to use the `<base>` element, then `base-uri 'self'`
-#      can be used instead.
+#      If you want to use the `<base>` element, then `base-uri 'self'` can be
+#      used instead.
 #
-#  (3) Form submissions are only allowed from the current website by
-#      setting: `form-action 'self'`.
+#  (3) Form submissions are only allowed from the current website by setting:
+#      `form-action 'self'`.
 #
-#  (4) Prevents all websites (including your own) from embedding your
-#      webpages within e.g. the `<iframe>` or `<object>` element by
-#      setting `frame-ancestors 'none'`.
+#  (4) Prevents all websites (including your own) from embedding your webpages
+#      within e.g. the `<iframe>` or `<object>` element by setting:
+#      `frame-ancestors 'none'`.
 #
-#      The `frame-ancestors` directive helps avoid "Clickjacking" attacks
-#      and is similar to the `X-Frame-Options` header.
+#      The `frame-ancestors` directive helps avoid "Clickjacking" attacks and
+#      is similar to the `X-Frame-Options` header.
 #
-#      Browsers that support the CSP header will ignore `X-Frame-Options`
-#      if `frame-ancestors` is also specified.
+#      Browsers that support the CSP header will ignore `X-Frame-Options` if
+#      `frame-ancestors` is also specified.
 #
-#  (5) Forces the browser to treat all the resources that are served over
-#      HTTP as if they were loaded securely over HTTPS by setting the
+#  (5) Forces the browser to treat all the resources that are served over HTTP
+#      as if they were loaded securely over HTTPS by setting the
 #      `upgrade-insecure-requests` directive.
 #
-#      Please note that `upgrade-insecure-requests` does not ensure
-#      HTTPS for the top-level navigation. If you want to force the
-#      website itself to be loaded over HTTPS you must include the
-#      `Strict-Transport-Security` header.
+#      Please note that `upgrade-insecure-requests` does not ensure HTTPS for
+#      the top-level navigation. If you want to force the website itself to be
+#      loaded over HTTPS you must include the `Strict-Transport-Security`
+#      header.
 #
 #  (6) The `Content-Security-Policy` header is included in all responses
 #      that are able to execute scripting. This includes the commonly used