reportir 0.2.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (55) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +9 -0
  3. data/.rspec +2 -0
  4. data/.travis.yml +4 -0
  5. data/CODE_OF_CONDUCT.md +13 -0
  6. data/Gemfile +4 -0
  7. data/LICENSE.txt +21 -0
  8. data/README.md +81 -0
  9. data/Rakefile +6 -0
  10. data/bin/console +14 -0
  11. data/bin/setup +7 -0
  12. data/lib/reportir/static_site_template/.editorconfig +13 -0
  13. data/lib/reportir/static_site_template/.gitattributes +1 -0
  14. data/lib/reportir/static_site_template/.gitignore +2 -0
  15. data/lib/reportir/static_site_template/.htaccess +984 -0
  16. data/lib/reportir/static_site_template/404.html +60 -0
  17. data/lib/reportir/static_site_template/LICENSE.txt +19 -0
  18. data/lib/reportir/static_site_template/apple-touch-icon.png +0 -0
  19. data/lib/reportir/static_site_template/browserconfig.xml +12 -0
  20. data/lib/reportir/static_site_template/crossdomain.xml +15 -0
  21. data/lib/reportir/static_site_template/css/font/FontAwesome.otf +0 -0
  22. data/lib/reportir/static_site_template/css/font/fontawesome-webfont.eot +0 -0
  23. data/lib/reportir/static_site_template/css/font/fontawesome-webfont.svg +284 -0
  24. data/lib/reportir/static_site_template/css/font/fontawesome-webfont.ttf +0 -0
  25. data/lib/reportir/static_site_template/css/font/fontawesome-webfont.woff +0 -0
  26. data/lib/reportir/static_site_template/css/main.css +348 -0
  27. data/lib/reportir/static_site_template/css/normalize.css +424 -0
  28. data/lib/reportir/static_site_template/css/vendor/bootstrap.min.css +5 -0
  29. data/lib/reportir/static_site_template/css/vendor/font-awesome.min.css +33 -0
  30. data/lib/reportir/static_site_template/doc/TOC.md +29 -0
  31. data/lib/reportir/static_site_template/doc/css.md +162 -0
  32. data/lib/reportir/static_site_template/doc/extend.md +663 -0
  33. data/lib/reportir/static_site_template/doc/faq.md +62 -0
  34. data/lib/reportir/static_site_template/doc/html.md +223 -0
  35. data/lib/reportir/static_site_template/doc/js.md +37 -0
  36. data/lib/reportir/static_site_template/doc/misc.md +175 -0
  37. data/lib/reportir/static_site_template/doc/usage.md +130 -0
  38. data/lib/reportir/static_site_template/favicon.ico +0 -0
  39. data/lib/reportir/static_site_template/humans.txt +15 -0
  40. data/lib/reportir/static_site_template/img/.gitignore +0 -0
  41. data/lib/reportir/static_site_template/img/pagination.png +0 -0
  42. data/lib/reportir/static_site_template/index.html +78 -0
  43. data/lib/reportir/static_site_template/js/main.js +0 -0
  44. data/lib/reportir/static_site_template/js/plugins.js +24 -0
  45. data/lib/reportir/static_site_template/js/vendor/bootstrap.min.js +7 -0
  46. data/lib/reportir/static_site_template/js/vendor/jquery-1.11.3.min.js +6 -0
  47. data/lib/reportir/static_site_template/js/vendor/jquery.slides.min.js +7 -0
  48. data/lib/reportir/static_site_template/js/vendor/modernizr-2.8.3.min.js +4 -0
  49. data/lib/reportir/static_site_template/robots.txt +5 -0
  50. data/lib/reportir/static_site_template/tile-wide.png +0 -0
  51. data/lib/reportir/static_site_template/tile.png +0 -0
  52. data/lib/reportir/version.rb +3 -0
  53. data/lib/reportir.rb +109 -0
  54. data/reportir.gemspec +29 -0
  55. metadata +196 -0
@@ -0,0 +1,984 @@
1
+ # Apache Server Configs v2.14.0 | MIT License
2
+ # https://github.com/h5bp/server-configs-apache
3
+
4
+ # (!) Using `.htaccess` files slows down Apache, therefore, if you have
5
+ # access to the main server configuration file (which is usually called
6
+ # `httpd.conf`), you should add this logic there.
7
+ #
8
+ # https://httpd.apache.org/docs/current/howto/htaccess.html.
9
+
10
+ # ######################################################################
11
+ # # CROSS-ORIGIN #
12
+ # ######################################################################
13
+
14
+ # ----------------------------------------------------------------------
15
+ # | Cross-origin requests |
16
+ # ----------------------------------------------------------------------
17
+
18
+ # Allow cross-origin requests.
19
+ #
20
+ # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
21
+ # http://enable-cors.org/
22
+ # http://www.w3.org/TR/cors/
23
+
24
+ # <IfModule mod_headers.c>
25
+ # Header set Access-Control-Allow-Origin "*"
26
+ # </IfModule>
27
+
28
+ # ----------------------------------------------------------------------
29
+ # | Cross-origin images |
30
+ # ----------------------------------------------------------------------
31
+
32
+ # Send the CORS header for images when browsers request it.
33
+ #
34
+ # https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
35
+ # https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
36
+
37
+ <IfModule mod_setenvif.c>
38
+ <IfModule mod_headers.c>
39
+ <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
40
+ SetEnvIf Origin ":" IS_CORS
41
+ Header set Access-Control-Allow-Origin "*" env=IS_CORS
42
+ </FilesMatch>
43
+ </IfModule>
44
+ </IfModule>
45
+
46
+ # ----------------------------------------------------------------------
47
+ # | Cross-origin web fonts |
48
+ # ----------------------------------------------------------------------
49
+
50
+ # Allow cross-origin access to web fonts.
51
+
52
+ <IfModule mod_headers.c>
53
+ <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
54
+ Header set Access-Control-Allow-Origin "*"
55
+ </FilesMatch>
56
+ </IfModule>
57
+
58
+ # ----------------------------------------------------------------------
59
+ # | Cross-origin resource timing |
60
+ # ----------------------------------------------------------------------
61
+
62
+ # Allow cross-origin access to the timing information for all resources.
63
+ #
64
+ # If a resource isn't served with a `Timing-Allow-Origin` header that
65
+ # would allow its timing information to be shared with the document,
66
+ # some of the attributes of the `PerformanceResourceTiming` object will
67
+ # be set to zero.
68
+ #
69
+ # http://www.w3.org/TR/resource-timing/
70
+ # http://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
71
+
72
+ # <IfModule mod_headers.c>
73
+ # Header set Timing-Allow-Origin: "*"
74
+ # </IfModule>
75
+
76
+
77
+ # ######################################################################
78
+ # # ERRORS #
79
+ # ######################################################################
80
+
81
+ # ----------------------------------------------------------------------
82
+ # | Custom error messages/pages |
83
+ # ----------------------------------------------------------------------
84
+
85
+ # Customize what Apache returns to the client in case of an error.
86
+ # https://httpd.apache.org/docs/current/mod/core.html#errordocument
87
+
88
+ ErrorDocument 404 /404.html
89
+
90
+ # ----------------------------------------------------------------------
91
+ # | Error prevention |
92
+ # ----------------------------------------------------------------------
93
+
94
+ # Disable the pattern matching based on filenames.
95
+ #
96
+ # This setting prevents Apache from returning a 404 error as the result
97
+ # of a rewrite when the directory with the same name does not exist.
98
+ #
99
+ # https://httpd.apache.org/docs/current/content-negotiation.html#multiviews
100
+
101
+ Options -MultiViews
102
+
103
+
104
+ # ######################################################################
105
+ # # INTERNET EXPLORER #
106
+ # ######################################################################
107
+
108
+ # ----------------------------------------------------------------------
109
+ # | Document modes |
110
+ # ----------------------------------------------------------------------
111
+
112
+ # Force Internet Explorer 8/9/10 to render pages in the highest mode
113
+ # available in the various cases when it may not.
114
+ #
115
+ # https://hsivonen.fi/doctype/#ie8
116
+ #
117
+ # (!) Starting with Internet Explorer 11, document modes are deprecated.
118
+ # If your business still relies on older web apps and services that were
119
+ # designed for older versions of Internet Explorer, you might want to
120
+ # consider enabling `Enterprise Mode` throughout your company.
121
+ #
122
+ # https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
123
+ # http://blogs.msdn.com/b/ie/archive/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx
124
+
125
+ <IfModule mod_headers.c>
126
+
127
+ Header set X-UA-Compatible "IE=edge"
128
+
129
+ # `mod_headers` cannot match based on the content-type, however,
130
+ # the `X-UA-Compatible` response header should be send only for
131
+ # HTML documents and not for the other resources.
132
+
133
+ <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
134
+ Header unset X-UA-Compatible
135
+ </FilesMatch>
136
+
137
+ </IfModule>
138
+
139
+ # ----------------------------------------------------------------------
140
+ # | Iframes cookies |
141
+ # ----------------------------------------------------------------------
142
+
143
+ # Allow cookies to be set from iframes in Internet Explorer.
144
+ #
145
+ # https://msdn.microsoft.com/en-us/library/ms537343.aspx
146
+ # http://www.w3.org/TR/2000/CR-P3P-20001215/
147
+
148
+ # <IfModule mod_headers.c>
149
+ # Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
150
+ # </IfModule>
151
+
152
+
153
+ # ######################################################################
154
+ # # MEDIA TYPES AND CHARACTER ENCODINGS #
155
+ # ######################################################################
156
+
157
+ # ----------------------------------------------------------------------
158
+ # | Media types |
159
+ # ----------------------------------------------------------------------
160
+
161
+ # Serve resources with the proper media types (f.k.a. MIME types).
162
+ #
163
+ # https://www.iana.org/assignments/media-types/media-types.xhtml
164
+ # https://httpd.apache.org/docs/current/mod/mod_mime.html#addtype
165
+
166
+ <IfModule mod_mime.c>
167
+
168
+ # Data interchange
169
+
170
+ AddType application/atom+xml atom
171
+ AddType application/json json map topojson
172
+ AddType application/ld+json jsonld
173
+ AddType application/rss+xml rss
174
+ AddType application/vnd.geo+json geojson
175
+ AddType application/xml rdf xml
176
+
177
+
178
+ # JavaScript
179
+
180
+ # Normalize to standard type.
181
+ # https://tools.ietf.org/html/rfc4329#section-7.2
182
+
183
+ AddType application/javascript js
184
+
185
+
186
+ # Manifest files
187
+
188
+ AddType application/manifest+json webmanifest
189
+ AddType application/x-web-app-manifest+json webapp
190
+ AddType text/cache-manifest appcache
191
+
192
+
193
+ # Media files
194
+
195
+ AddType audio/mp4 f4a f4b m4a
196
+ AddType audio/ogg oga ogg opus
197
+ AddType image/bmp bmp
198
+ AddType image/svg+xml svg svgz
199
+ AddType image/webp webp
200
+ AddType video/mp4 f4v f4p m4v mp4
201
+ AddType video/ogg ogv
202
+ AddType video/webm webm
203
+ AddType video/x-flv flv
204
+
205
+ # Serving `.ico` image files with a different media type
206
+ # prevents Internet Explorer from displaying then as images:
207
+ # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
208
+
209
+ AddType image/x-icon cur ico
210
+
211
+
212
+ # Web fonts
213
+
214
+ AddType application/font-woff woff
215
+ AddType application/font-woff2 woff2
216
+ AddType application/vnd.ms-fontobject eot
217
+
218
+ # Browsers usually ignore the font media types and simply sniff
219
+ # the bytes to figure out the font type.
220
+ # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
221
+ #
222
+ # However, Blink and WebKit based browsers will show a warning
223
+ # in the console if the following font types are served with any
224
+ # other media types.
225
+
226
+ AddType application/x-font-ttf ttc ttf
227
+ AddType font/opentype otf
228
+
229
+
230
+ # Other
231
+
232
+ AddType application/octet-stream safariextz
233
+ AddType application/x-bb-appworld bbaw
234
+ AddType application/x-chrome-extension crx
235
+ AddType application/x-opera-extension oex
236
+ AddType application/x-xpinstall xpi
237
+ AddType text/vcard vcard vcf
238
+ AddType text/vnd.rim.location.xloc xloc
239
+ AddType text/vtt vtt
240
+ AddType text/x-component htc
241
+
242
+ </IfModule>
243
+
244
+ # ----------------------------------------------------------------------
245
+ # | Character encodings |
246
+ # ----------------------------------------------------------------------
247
+
248
+ # Serve all resources labeled as `text/html` or `text/plain`
249
+ # with the media type `charset` parameter set to `UTF-8`.
250
+ #
251
+ # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
252
+
253
+ AddDefaultCharset utf-8
254
+
255
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
256
+
257
+ # Serve the following file types with the media type `charset`
258
+ # parameter set to `UTF-8`.
259
+ #
260
+ # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
261
+
262
+ <IfModule mod_mime.c>
263
+ AddCharset utf-8 .atom \
264
+ .bbaw \
265
+ .css \
266
+ .geojson \
267
+ .js \
268
+ .json \
269
+ .jsonld \
270
+ .manifest \
271
+ .rdf \
272
+ .rss \
273
+ .topojson \
274
+ .vtt \
275
+ .webapp \
276
+ .webmanifest \
277
+ .xloc \
278
+ .xml
279
+ </IfModule>
280
+
281
+
282
+ # ######################################################################
283
+ # # REWRITES #
284
+ # ######################################################################
285
+
286
+ # ----------------------------------------------------------------------
287
+ # | Rewrite engine |
288
+ # ----------------------------------------------------------------------
289
+
290
+ # (1) Turn on the rewrite engine (this is necessary in order for
291
+ # the `RewriteRule` directives to work).
292
+ #
293
+ # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
294
+ #
295
+ # (2) Enable the `FollowSymLinks` option if it isn't already.
296
+ #
297
+ # https://httpd.apache.org/docs/current/mod/core.html#options
298
+ #
299
+ # (3) If your web host doesn't allow the `FollowSymlinks` option,
300
+ # you need to comment it out or remove it, and then uncomment
301
+ # the `Options +SymLinksIfOwnerMatch` line (4), but be aware
302
+ # of the performance impact.
303
+ #
304
+ # https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
305
+ #
306
+ # (4) Some cloud hosting services will require you set `RewriteBase`.
307
+ #
308
+ # https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
309
+ # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
310
+ #
311
+ # (5) Depending on how your server is set up, you may also need to
312
+ # use the `RewriteOptions` directive to enable some options for
313
+ # the rewrite engine.
314
+ #
315
+ # https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
316
+ #
317
+ # (6) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
318
+ # appropriate schema automatically (http or https).
319
+
320
+ <IfModule mod_rewrite.c>
321
+
322
+ # (1)
323
+ RewriteEngine On
324
+
325
+ # (2)
326
+ Options +FollowSymlinks
327
+
328
+ # (3)
329
+ # Options +SymLinksIfOwnerMatch
330
+
331
+ # (4)
332
+ # RewriteBase /
333
+
334
+ # (5)
335
+ # RewriteOptions <options>
336
+
337
+ # (6)
338
+ RewriteCond %{HTTPS} =on
339
+ RewriteRule ^ - [env=proto:https]
340
+ RewriteCond %{HTTPS} !=on
341
+ RewriteRule ^ - [env=proto:http]
342
+
343
+ </IfModule>
344
+
345
+ # ----------------------------------------------------------------------
346
+ # | Forcing `https://` |
347
+ # ----------------------------------------------------------------------
348
+
349
+ # Redirect from the `http://` to the `https://` version of the URL.
350
+ # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
351
+
352
+ # <IfModule mod_rewrite.c>
353
+ # RewriteEngine On
354
+ # RewriteCond %{HTTPS} !=on
355
+ # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
356
+ # </IfModule>
357
+
358
+ # ----------------------------------------------------------------------
359
+ # | Suppressing / Forcing the `www.` at the beginning of URLs |
360
+ # ----------------------------------------------------------------------
361
+
362
+ # The same content should never be available under two different
363
+ # URLs, especially not with and without `www.` at the beginning.
364
+ # This can cause SEO problems (duplicate content), and therefore,
365
+ # you should choose one of the alternatives and redirect the other
366
+ # one.
367
+ #
368
+ # By default `Option 1` (no `www.`) is activated.
369
+ # http://no-www.org/faq.php?q=class_b
370
+ #
371
+ # If you would prefer to use `Option 2`, just comment out all the
372
+ # lines from `Option 1` and uncomment the ones from `Option 2`.
373
+ #
374
+ # (!) NEVER USE BOTH RULES AT THE SAME TIME!
375
+
376
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
377
+
378
+ # Option 1: rewrite www.example.com → example.com
379
+
380
+ <IfModule mod_rewrite.c>
381
+ RewriteEngine On
382
+ RewriteCond %{HTTPS} !=on
383
+ RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
384
+ RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
385
+ </IfModule>
386
+
387
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
388
+
389
+ # Option 2: rewrite example.com → www.example.com
390
+ #
391
+ # Be aware that the following might not be a good idea if you use "real"
392
+ # subdomains for certain parts of your website.
393
+
394
+ # <IfModule mod_rewrite.c>
395
+ # RewriteEngine On
396
+ # RewriteCond %{HTTPS} !=on
397
+ # RewriteCond %{HTTP_HOST} !^www\. [NC]
398
+ # RewriteCond %{SERVER_ADDR} !=127.0.0.1
399
+ # RewriteCond %{SERVER_ADDR} !=::1
400
+ # RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
401
+ # </IfModule>
402
+
403
+
404
+ # ######################################################################
405
+ # # SECURITY #
406
+ # ######################################################################
407
+
408
+ # ----------------------------------------------------------------------
409
+ # | Clickjacking |
410
+ # ----------------------------------------------------------------------
411
+
412
+ # Protect website against clickjacking.
413
+ #
414
+ # The example below sends the `X-Frame-Options` response header with
415
+ # the value `DENY`, informing browsers not to display the content of
416
+ # the web page in any frame.
417
+ #
418
+ # This might not be the best setting for everyone. You should read
419
+ # about the other two possible values the `X-Frame-Options` header
420
+ # field can have: `SAMEORIGIN` and `ALLOW-FROM`.
421
+ # https://tools.ietf.org/html/rfc7034#section-2.1.
422
+ #
423
+ # Keep in mind that while you could send the `X-Frame-Options` header
424
+ # for all of your website’s pages, this has the potential downside that
425
+ # it forbids even non-malicious framing of your content (e.g.: when
426
+ # users visit your website using a Google Image Search results page).
427
+ #
428
+ # Nonetheless, you should ensure that you send the `X-Frame-Options`
429
+ # header for all pages that allow a user to make a state changing
430
+ # operation (e.g: pages that contain one-click purchase links, checkout
431
+ # or bank-transfer confirmation pages, pages that make permanent
432
+ # configuration changes, etc.).
433
+ #
434
+ # Sending the `X-Frame-Options` header can also protect your website
435
+ # against more than just clickjacking attacks:
436
+ # https://cure53.de/xfo-clickjacking.pdf.
437
+ #
438
+ # https://tools.ietf.org/html/rfc7034
439
+ # http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
440
+ # https://www.owasp.org/index.php/Clickjacking
441
+
442
+ # <IfModule mod_headers.c>
443
+
444
+ # Header set X-Frame-Options "DENY"
445
+
446
+ # # `mod_headers` cannot match based on the content-type, however,
447
+ # # the `X-Frame-Options` response header should be send only for
448
+ # # HTML documents and not for the other resources.
449
+
450
+ # <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
451
+ # Header unset X-Frame-Options
452
+ # </FilesMatch>
453
+
454
+ # </IfModule>
455
+
456
+ # ----------------------------------------------------------------------
457
+ # | Content Security Policy (CSP) |
458
+ # ----------------------------------------------------------------------
459
+
460
+ # Mitigate the risk of cross-site scripting and other content-injection
461
+ # attacks.
462
+ #
463
+ # This can be done by setting a `Content Security Policy` which
464
+ # whitelists trusted sources of content for your website.
465
+ #
466
+ # The example header below allows ONLY scripts that are loaded from
467
+ # the current website's origin (no inline scripts, no CDN, etc).
468
+ # That almost certainly won't work as-is for your website!
469
+ #
470
+ # To make things easier, you can use an online CSP header generator
471
+ # such as: http://cspisawesome.com/.
472
+ #
473
+ # http://content-security-policy.com/
474
+ # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
475
+ # http://www.w3.org/TR/CSP11/).
476
+
477
+ # <IfModule mod_headers.c>
478
+
479
+ # Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
480
+
481
+ # # `mod_headers` cannot match based on the content-type, however,
482
+ # # the `Content-Security-Policy` response header should be send
483
+ # # only for HTML documents and not for the other resources.
484
+
485
+ # <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
486
+ # Header unset Content-Security-Policy
487
+ # </FilesMatch>
488
+
489
+ # </IfModule>
490
+
491
+ # ----------------------------------------------------------------------
492
+ # | File access |
493
+ # ----------------------------------------------------------------------
494
+
495
+ # Block access to directories without a default document.
496
+ #
497
+ # You should leave the following uncommented, as you shouldn't allow
498
+ # anyone to surf through every directory on your server (which may
499
+ # includes rather private places such as the CMS's directories).
500
+
501
+ <IfModule mod_autoindex.c>
502
+ Options -Indexes
503
+ </IfModule>
504
+
505
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
506
+
507
+ # Block access to all hidden files and directories with the exception of
508
+ # the visible content from within the `/.well-known/` hidden directory.
509
+ #
510
+ # These types of files usually contain user preferences or the preserved
511
+ # state of an utility, and can include rather private places like, for
512
+ # example, the `.git` or `.svn` directories.
513
+ #
514
+ # The `/.well-known/` directory represents the standard (RFC 5785) path
515
+ # prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
516
+ # `/.well-known/keybase.txt`), and therefore, access to its visible
517
+ # content should not be blocked.
518
+ #
519
+ # https://www.mnot.net/blog/2010/04/07/well-known
520
+ # https://tools.ietf.org/html/rfc5785
521
+
522
+ <IfModule mod_rewrite.c>
523
+ RewriteEngine On
524
+ RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
525
+ RewriteCond %{SCRIPT_FILENAME} -d [OR]
526
+ RewriteCond %{SCRIPT_FILENAME} -f
527
+ RewriteRule "(^|/)\." - [F]
528
+ </IfModule>
529
+
530
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
531
+
532
+ # Block access to files that can expose sensitive information.
533
+ #
534
+ # By default, block access to backup and source files that may be
535
+ # left by some text editors and can pose a security risk when anyone
536
+ # has access to them.
537
+ #
538
+ # http://feross.org/cmsploit/
539
+ #
540
+ # (!) Update the `<FilesMatch>` regular expression from below to
541
+ # include any files that might end up on your production server and
542
+ # can expose sensitive information about your website. These files may
543
+ # include: configuration files, files that contain metadata about the
544
+ # project (e.g.: project dependencies), build scripts, etc..
545
+
546
+ <FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">
547
+
548
+ # Apache < 2.3
549
+ <IfModule !mod_authz_core.c>
550
+ Order allow,deny
551
+ Deny from all
552
+ Satisfy All
553
+ </IfModule>
554
+
555
+ # Apache ≥ 2.3
556
+ <IfModule mod_authz_core.c>
557
+ Require all denied
558
+ </IfModule>
559
+
560
+ </FilesMatch>
561
+
562
+ # ----------------------------------------------------------------------
563
+ # | HTTP Strict Transport Security (HSTS) |
564
+ # ----------------------------------------------------------------------
565
+
566
+ # Force client-side SSL redirection.
567
+ #
568
+ # If a user types `example.com` in their browser, even if the server
569
+ # redirects them to the secure version of the website, that still leaves
570
+ # a window of opportunity (the initial HTTP connection) for an attacker
571
+ # to downgrade or redirect the request.
572
+ #
573
+ # The following header ensures that browser will ONLY connect to your
574
+ # server via HTTPS, regardless of what the users type in the browser's
575
+ # address bar.
576
+ #
577
+ # (!) Remove the `includeSubDomains` optional directive if the website's
578
+ # subdomains are not using HTTPS.
579
+ #
580
+ # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
581
+ # https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
582
+ # http://blogs.msdn.com/b/ieinternals/archive/2014/08/18/hsts-strict-transport-security-attacks-mitigations-deployment-https.aspx
583
+
584
+ # <IfModule mod_headers.c>
585
+ # Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
586
+ # </IfModule>
587
+
588
+ # ----------------------------------------------------------------------
589
+ # | Reducing MIME type security risks |
590
+ # ----------------------------------------------------------------------
591
+
592
+ # Prevent some browsers from MIME-sniffing the response.
593
+ #
594
+ # This reduces exposure to drive-by download attacks and cross-origin
595
+ # data leaks, and should be left uncommented, especially if the server
596
+ # is serving user-uploaded content or content that could potentially be
597
+ # treated as executable by the browser.
598
+ #
599
+ # http://www.slideshare.net/hasegawayosuke/owasp-hasegawa
600
+ # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
601
+ # https://msdn.microsoft.com/en-us/library/ie/gg622941.aspx
602
+ # https://mimesniff.spec.whatwg.org/
603
+
604
+ <IfModule mod_headers.c>
605
+ Header set X-Content-Type-Options "nosniff"
606
+ </IfModule>
607
+
608
+ # ----------------------------------------------------------------------
609
+ # | Reflected Cross-Site Scripting (XSS) attacks |
610
+ # ----------------------------------------------------------------------
611
+
612
+ # (1) Try to re-enable the cross-site scripting (XSS) filter built
613
+ # into most web browsers.
614
+ #
615
+ # The filter is usually enabled by default, but in some cases it
616
+ # may be disabled by the user. However, in Internet Explorer for
617
+ # example, it can be re-enabled just by sending the
618
+ # `X-XSS-Protection` header with the value of `1`.
619
+ #
620
+ # (2) Prevent web browsers from rendering the web page if a potential
621
+ # reflected (a.k.a non-persistent) XSS attack is detected by the
622
+ # filter.
623
+ #
624
+ # By default, if the filter is enabled and browsers detect a
625
+ # reflected XSS attack, they will attempt to block the attack
626
+ # by making the smallest possible modifications to the returned
627
+ # web page.
628
+ #
629
+ # Unfortunately, in some browsers (e.g.: Internet Explorer),
630
+ # this default behavior may allow the XSS filter to be exploited,
631
+ # thereby, it's better to inform browsers to prevent the rendering
632
+ # of the page altogether, instead of attempting to modify it.
633
+ #
634
+ # https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
635
+ #
636
+ # (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
637
+ # you are taking all possible measures to prevent XSS attacks, the
638
+ # most obvious being: validating and sanitizing your website's inputs.
639
+ #
640
+ # http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
641
+ # http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx
642
+ # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
643
+
644
+ # <IfModule mod_headers.c>
645
+
646
+ # # (1) (2)
647
+ # Header set X-XSS-Protection "1; mode=block"
648
+
649
+ # # `mod_headers` cannot match based on the content-type, however,
650
+ # # the `X-XSS-Protection` response header should be send only for
651
+ # # HTML documents and not for the other resources.
652
+
653
+ # <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
654
+ # Header unset X-XSS-Protection
655
+ # </FilesMatch>
656
+
657
+ # </IfModule>
658
+
659
+ # ----------------------------------------------------------------------
660
+ # | Server-side technology information |
661
+ # ----------------------------------------------------------------------
662
+
663
+ # Remove the `X-Powered-By` response header that:
664
+ #
665
+ # * is set by some frameworks and server-side languages
666
+ # (e.g.: ASP.NET, PHP), and its value contains information
667
+ # about them (e.g.: their name, version number)
668
+ #
669
+ # * doesn't provide any value as far as users are concern,
670
+ # and in some cases, the information provided by it can
671
+ # be used by attackers
672
+ #
673
+ # (!) If you can, you should disable the `X-Powered-By` header from the
674
+ # language / framework level (e.g.: for PHP, you can do that by setting
675
+ # `expose_php = off` in `php.ini`)
676
+ #
677
+ # https://php.net/manual/en/ini.core.php#ini.expose-php
678
+
679
+ <IfModule mod_headers.c>
680
+ Header unset X-Powered-By
681
+ </IfModule>
682
+
683
+ # ----------------------------------------------------------------------
684
+ # | Server software information |
685
+ # ----------------------------------------------------------------------
686
+
687
+ # Prevent Apache from adding a trailing footer line containing
688
+ # information about the server to the server-generated documents
689
+ # (e.g.: error messages, directory listings, etc.)
690
+ #
691
+ # https://httpd.apache.org/docs/current/mod/core.html#serversignature
692
+
693
+ ServerSignature Off
694
+
695
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
696
+
697
+ # Prevent Apache from sending in the `Server` response header its
698
+ # exact version number, the description of the generic OS-type or
699
+ # information about its compiled-in modules.
700
+ #
701
+ # (!) The `ServerTokens` directive will only work in the main server
702
+ # configuration file, so don't try to enable it in the `.htaccess` file!
703
+ #
704
+ # https://httpd.apache.org/docs/current/mod/core.html#servertokens
705
+
706
+ #ServerTokens Prod
707
+
708
+
709
+ # ######################################################################
710
+ # # WEB PERFORMANCE #
711
+ # ######################################################################
712
+
713
+ # ----------------------------------------------------------------------
714
+ # | Compression |
715
+ # ----------------------------------------------------------------------
716
+
717
+ <IfModule mod_deflate.c>
718
+
719
+ # Force compression for mangled `Accept-Encoding` request headers
720
+ # https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
721
+
722
+ <IfModule mod_setenvif.c>
723
+ <IfModule mod_headers.c>
724
+ SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
725
+ RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
726
+ </IfModule>
727
+ </IfModule>
728
+
729
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
730
+
731
+ # Compress all output labeled with one of the following media types.
732
+ #
733
+ # (!) For Apache versions below version 2.3.7 you don't need to
734
+ # enable `mod_filter` and can remove the `<IfModule mod_filter.c>`
735
+ # and `</IfModule>` lines as `AddOutputFilterByType` is still in
736
+ # the core directives.
737
+ #
738
+ # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
739
+
740
+ <IfModule mod_filter.c>
741
+ AddOutputFilterByType DEFLATE "application/atom+xml" \
742
+ "application/javascript" \
743
+ "application/json" \
744
+ "application/ld+json" \
745
+ "application/manifest+json" \
746
+ "application/rdf+xml" \
747
+ "application/rss+xml" \
748
+ "application/schema+json" \
749
+ "application/vnd.geo+json" \
750
+ "application/vnd.ms-fontobject" \
751
+ "application/x-font-ttf" \
752
+ "application/x-javascript" \
753
+ "application/x-web-app-manifest+json" \
754
+ "application/xhtml+xml" \
755
+ "application/xml" \
756
+ "font/eot" \
757
+ "font/opentype" \
758
+ "image/bmp" \
759
+ "image/svg+xml" \
760
+ "image/vnd.microsoft.icon" \
761
+ "image/x-icon" \
762
+ "text/cache-manifest" \
763
+ "text/css" \
764
+ "text/html" \
765
+ "text/javascript" \
766
+ "text/plain" \
767
+ "text/vcard" \
768
+ "text/vnd.rim.location.xloc" \
769
+ "text/vtt" \
770
+ "text/x-component" \
771
+ "text/x-cross-domain-policy" \
772
+ "text/xml"
773
+
774
+ </IfModule>
775
+
776
+ # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
777
+
778
+ # Map the following filename extensions to the specified
779
+ # encoding type in order to make Apache serve the file types
780
+ # with the appropriate `Content-Encoding` response header
781
+ # (do note that this will NOT make Apache compress them!).
782
+ #
783
+ # If these files types would be served without an appropriate
784
+ # `Content-Enable` response header, client applications (e.g.:
785
+ # browsers) wouldn't know that they first need to uncompress
786
+ # the response, and thus, wouldn't be able to understand the
787
+ # content.
788
+ #
789
+ # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
790
+
791
+ <IfModule mod_mime.c>
792
+ AddEncoding gzip svgz
793
+ </IfModule>
794
+
795
+ </IfModule>
796
+
797
+ # ----------------------------------------------------------------------
798
+ # | Content transformation |
799
+ # ----------------------------------------------------------------------
800
+
801
+ # Prevent intermediate caches or proxies (e.g.: such as the ones
802
+ # used by mobile network providers) from modifying the website's
803
+ # content.
804
+ #
805
+ # https://tools.ietf.org/html/rfc2616#section-14.9.5
806
+ #
807
+ # (!) If you are using `mod_pagespeed`, please note that setting
808
+ # the `Cache-Control: no-transform` response header will prevent
809
+ # `PageSpeed` from rewriting `HTML` files, and, if the
810
+ # `ModPagespeedDisableRewriteOnNoTransform` directive isn't set
811
+ # to `off`, also from rewriting other resources.
812
+ #
813
+ # https://developers.google.com/speed/pagespeed/module/configuration#notransform
814
+
815
+ # <IfModule mod_headers.c>
816
+ # Header merge Cache-Control "no-transform"
817
+ # </IfModule>
818
+
819
+ # ----------------------------------------------------------------------
820
+ # | ETags |
821
+ # ----------------------------------------------------------------------
822
+
823
+ # Remove `ETags` as resources are sent with far-future expires headers.
824
+ #
825
+ # https://developer.yahoo.com/performance/rules.html#etags
826
+ # https://tools.ietf.org/html/rfc7232#section-2.3
827
+
828
+ # `FileETag None` doesn't work in all cases.
829
+ <IfModule mod_headers.c>
830
+ Header unset ETag
831
+ </IfModule>
832
+
833
+ FileETag None
834
+
835
+ # ----------------------------------------------------------------------
836
+ # | Expires headers |
837
+ # ----------------------------------------------------------------------
838
+
839
+ # Serve resources with far-future expires headers.
840
+ #
841
+ # (!) If you don't control versioning with filename-based
842
+ # cache busting, you should consider lowering the cache times
843
+ # to something like one week.
844
+ #
845
+ # https://httpd.apache.org/docs/current/mod/mod_expires.html
846
+
847
+ <IfModule mod_expires.c>
848
+
849
+ ExpiresActive on
850
+ ExpiresDefault "access plus 1 month"
851
+
852
+ # CSS
853
+
854
+ ExpiresByType text/css "access plus 1 year"
855
+
856
+
857
+ # Data interchange
858
+
859
+ ExpiresByType application/atom+xml "access plus 1 hour"
860
+ ExpiresByType application/rdf+xml "access plus 1 hour"
861
+ ExpiresByType application/rss+xml "access plus 1 hour"
862
+
863
+ ExpiresByType application/json "access plus 0 seconds"
864
+ ExpiresByType application/ld+json "access plus 0 seconds"
865
+ ExpiresByType application/schema+json "access plus 0 seconds"
866
+ ExpiresByType application/vnd.geo+json "access plus 0 seconds"
867
+ ExpiresByType application/xml "access plus 0 seconds"
868
+ ExpiresByType text/xml "access plus 0 seconds"
869
+
870
+
871
+ # Favicon (cannot be renamed!) and cursor images
872
+
873
+ ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
874
+ ExpiresByType image/x-icon "access plus 1 week"
875
+
876
+ # HTML
877
+
878
+ ExpiresByType text/html "access plus 0 seconds"
879
+
880
+
881
+ # JavaScript
882
+
883
+ ExpiresByType application/javascript "access plus 1 year"
884
+ ExpiresByType application/x-javascript "access plus 1 year"
885
+ ExpiresByType text/javascript "access plus 1 year"
886
+
887
+
888
+ # Manifest files
889
+
890
+ ExpiresByType application/manifest+json "access plus 1 week"
891
+ ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
892
+ ExpiresByType text/cache-manifest "access plus 0 seconds"
893
+
894
+
895
+ # Media files
896
+
897
+ ExpiresByType audio/ogg "access plus 1 month"
898
+ ExpiresByType image/bmp "access plus 1 month"
899
+ ExpiresByType image/gif "access plus 1 month"
900
+ ExpiresByType image/jpeg "access plus 1 month"
901
+ ExpiresByType image/png "access plus 1 month"
902
+ ExpiresByType image/svg+xml "access plus 1 month"
903
+ ExpiresByType image/webp "access plus 1 month"
904
+ ExpiresByType video/mp4 "access plus 1 month"
905
+ ExpiresByType video/ogg "access plus 1 month"
906
+ ExpiresByType video/webm "access plus 1 month"
907
+
908
+
909
+ # Web fonts
910
+
911
+ # Embedded OpenType (EOT)
912
+ ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
913
+ ExpiresByType font/eot "access plus 1 month"
914
+
915
+ # OpenType
916
+ ExpiresByType font/opentype "access plus 1 month"
917
+
918
+ # TrueType
919
+ ExpiresByType application/x-font-ttf "access plus 1 month"
920
+
921
+ # Web Open Font Format (WOFF) 1.0
922
+ ExpiresByType application/font-woff "access plus 1 month"
923
+ ExpiresByType application/x-font-woff "access plus 1 month"
924
+ ExpiresByType font/woff "access plus 1 month"
925
+
926
+ # Web Open Font Format (WOFF) 2.0
927
+ ExpiresByType application/font-woff2 "access plus 1 month"
928
+
929
+
930
+ # Other
931
+
932
+ ExpiresByType text/x-cross-domain-policy "access plus 1 week"
933
+
934
+ </IfModule>
935
+
936
+ # ----------------------------------------------------------------------
937
+ # | File concatenation |
938
+ # ----------------------------------------------------------------------
939
+
940
+ # Allow concatenation from within specific files.
941
+ #
942
+ # e.g.:
943
+ #
944
+ # If you have the following lines in a file called, for
945
+ # example, `main.combined.js`:
946
+ #
947
+ # <!--#include file="js/jquery.js" -->
948
+ # <!--#include file="js/jquery.timer.js" -->
949
+ #
950
+ # Apache will replace those lines with the content of the
951
+ # specified files.
952
+
953
+ # <IfModule mod_include.c>
954
+ # <FilesMatch "\.combined\.js$">
955
+ # Options +Includes
956
+ # AddOutputFilterByType INCLUDES application/javascript \
957
+ # application/x-javascript \
958
+ # text/javascript
959
+ # SetOutputFilter INCLUDES
960
+ # </FilesMatch>
961
+ # <FilesMatch "\.combined\.css$">
962
+ # Options +Includes
963
+ # AddOutputFilterByType INCLUDES text/css
964
+ # SetOutputFilter INCLUDES
965
+ # </FilesMatch>
966
+ # </IfModule>
967
+
968
+ # ----------------------------------------------------------------------
969
+ # | Filename-based cache busting |
970
+ # ----------------------------------------------------------------------
971
+
972
+ # If you're not using a build process to manage your filename version
973
+ # revving, you might want to consider enabling the following directives
974
+ # to route all requests such as `/style.12345.css` to `/style.css`.
975
+ #
976
+ # To understand why this is important and even a better solution than
977
+ # using something like `*.css?v231`, please see:
978
+ # http://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
979
+
980
+ # <IfModule mod_rewrite.c>
981
+ # RewriteEngine On
982
+ # RewriteCond %{REQUEST_FILENAME} !-f
983
+ # RewriteRule ^(.+)\.(\d+)\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp|webmanifest)$ $1.$3 [L]
984
+ # </IfModule>