feat: redirect trafic to https (#965)

.github/workflows/deploy.yml

@@ -28,6 +28,7 @@ jobs:
     name: Build assets
     outputs:
       version: ${{ steps.version.outputs.version }}
+      release: ${{ steps.version.outputs.release }}
 
     strategy:
       fail-fast: false
@@ -105,9 +106,11 @@ jobs:
             exit -1
           fi
 
-      - name: Get version or revision
+      - name: Get version
         id: version
-        run: echo "::set-output name=version::$(git describe --abbrev=0 --tags --exact-match $GITHUB_SHA 2>/dev/null || git log --pretty="%h" -n1 $GITHUB_SHA)"
+        run: |
+          echo "::set-output name=version::$(git describe --abbrev=0 --tags | sed 's/^v//')"
+          echo "::set-output name=release::$(git describe --abbrev=0 --tags --exact-match $GITHUB_SHA 2>/dev/null || git log --pretty="%h" -n1 $GITHUB_SHA)"
 
       - name: Prepare environment
         run: |
@@ -174,9 +177,13 @@ jobs:
 
       - name: Create release files
         run: |
-          echo ${{ needs.build.outputs.version }} > config/.release
+          echo ${{ needs.build.outputs.version }} > config/.version
+          echo ${{ needs.build.outputs.release }} > config/.release
           echo $GITHUB_SHA > config/.commit
 
+      - name: Update .htaccess
+        run: cp -f scripts/.htaccess_production public/.htaccess
+
       - name: Commit everything
         run: |
           git add -A --force public config
@@ -231,9 +238,13 @@ jobs:
 
       - name: Create release files
         run: |
-          echo ${{ needs.build.outputs.version }} > config/.release
+          echo ${{ needs.build.outputs.version }} > config/.version
+          echo ${{ needs.build.outputs.release }} > config/.release
           echo $GITHUB_SHA > config/.commit
 
+      - name: Update .htaccess
+        run: cp -f scripts/.htaccess_production public/.htaccess
+
       - name: Commit everything
         run: |
           git add -A --force public config
@@ -287,5 +298,5 @@ jobs:
         with:
           environment: ${{ secrets.SENTRY_ENVIRONMENT }}
           sourcemaps: public/js/app.js public/js/app.js.map
-          version: ${{ needs.build.outputs.version }}
+          version: ${{ needs.build.outputs.release }}
           url_prefix: ~/js

scripts/.htaccess_production

@@ -0,0 +1,48 @@
+<IfModule mod_rewrite.c>
+    <IfModule mod_negotiation.c>
+        Options -MultiViews -Indexes
+    </IfModule>
+
+    RewriteEngine On
+
+    # Redirect to https
+    RewriteCond %{HTTP:X-Forwarded-Proto} !=https
+    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,N]
+
+    <IfModule mod_headers.c>
+        # Activate HSTS
+        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"
+
+        Header always set Referrer-Policy "no-referrer"
+        Header always set X-Content-Type-Options "nosniff"
+        Header always set X-Download-Options "noopen"
+        Header always set X-Frame-Options "SAMEORIGIN"
+        Header always set X-Permitted-Cross-Domain-Policies "none"
+        Header always set X-Robots-Tag "none"
+        Header always set X-XSS-Protection "1; mode=block"
+
+        # Assets expire after 1 month
+        <filesMatch ".(css|js|woff2?|json)$">
+            Header set Cache-Control "public, max-age=2628000"
+        </filesMatch>
+
+        # Images expire after 6 months
+        <filesMatch ".(svg|png|gif|ico|jpe?g)$">
+            Header set Cache-Control "public, max-age=15768000"
+        </filesMatch>
+    </IfModule>
+
+    # Handle Authorization Header
+    RewriteCond %{HTTP:Authorization} .
+    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
+
+    # Redirect Trailing Slashes If Not A Folder...
+    RewriteCond %{REQUEST_FILENAME} !-d
+    RewriteCond %{REQUEST_URI} (.+)/$
+    RewriteRule ^ %1 [L,R=301]
+
+    # Handle Front Controller...
+    RewriteCond %{REQUEST_FILENAME} !-d
+    RewriteCond %{REQUEST_FILENAME} !-f
+    RewriteRule ^ index.php [L]
+</IfModule>