1 # Apache Configuration File
3 # (!) Using `.htaccess` files slows down Apache, therefore, if you have access
4 # to the main server config file (usually called `httpd.conf`), you should add
5 # this logic there: http://httpd.apache.org/docs/current/howto/htaccess.html.
7 # ##############################################################################
8 # # CROSS-ORIGIN RESOURCE SHARING (CORS) #
9 # ##############################################################################
11 # ------------------------------------------------------------------------------
12 # | Cross-domain AJAX requests |
13 # ------------------------------------------------------------------------------
15 # Enable cross-origin AJAX requests.
16 # http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
17 # http://enable-cors.org/
19 # <IfModule mod_headers.c>
20 # Header set Access-Control-Allow-Origin "*"
23 # ------------------------------------------------------------------------------
24 # | CORS-enabled images |
25 # ------------------------------------------------------------------------------
27 # Send the CORS header for images when browsers request it.
28 # https://developer.mozilla.org/en/CORS_Enabled_Image
29 # http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
30 # http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
32 <IfModule mod_setenvif.c>
33 <IfModule mod_headers.c>
34 <FilesMatch "\.(gif|ico|jpe?g|png|svg|svgz|webp)$">
35 SetEnvIf Origin ":" IS_CORS
36 Header set Access-Control-Allow-Origin "*" env=IS_CORS
41 # ------------------------------------------------------------------------------
42 # | Web fonts access |
43 # ------------------------------------------------------------------------------
45 # Allow access from all domains for web fonts
47 <IfModule mod_headers.c>
48 <FilesMatch "\.(eot|font.css|otf|ttc|ttf|woff)$">
49 Header set Access-Control-Allow-Origin "*"
54 # ##############################################################################
56 # ##############################################################################
58 # ------------------------------------------------------------------------------
59 # | 404 error prevention for non-existing redirected folders |
60 # ------------------------------------------------------------------------------
62 # Prevent Apache from returning a 404 error for a rewrite if a directory
63 # with the same name does not exist.
64 # http://httpd.apache.org/docs/current/content-negotiation.html#multiviews
65 # http://www.webmasterworld.com/apache/3808792.htm
69 # ------------------------------------------------------------------------------
70 # | Custom error messages / pages |
71 # ------------------------------------------------------------------------------
73 # You can customize what Apache returns to the client in case of an error (see
74 # http://httpd.apache.org/docs/current/mod/core.html#errordocument), e.g.:
76 ErrorDocument 404 /404.html
79 # ##############################################################################
80 # # INTERNET EXPLORER #
81 # ##############################################################################
83 # ------------------------------------------------------------------------------
84 # | Better website experience |
85 # ------------------------------------------------------------------------------
87 # Force IE to render pages in the highest available mode in the various
88 # cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf.
90 <IfModule mod_headers.c>
91 Header set X-UA-Compatible "IE=edge"
92 # `mod_headers` can't match based on the content-type, however, we only
93 # want to send this header for HTML pages and not for the other resources
94 <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svg|svgz|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
95 Header unset X-UA-Compatible
99 # ------------------------------------------------------------------------------
100 # | Cookie setting from iframes |
101 # ------------------------------------------------------------------------------
103 # Allow cookies to be set from iframes in IE.
105 # <IfModule mod_headers.c>
106 # Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
109 # ------------------------------------------------------------------------------
111 # ------------------------------------------------------------------------------
113 # Stop screen flicker in IE on CSS rollovers (this only works in
114 # combination with the `ExpiresByType` directives for images from below).
116 # BrowserMatch "MSIE" brokenvary=1
117 # BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
118 # BrowserMatch "Opera" !brokenvary
119 # SetEnvIf brokenvary 1 force-no-vary
122 # ##############################################################################
123 # # MIME TYPES AND ENCODING #
124 # ##############################################################################
126 # ------------------------------------------------------------------------------
127 # | Proper MIME types for all files |
128 # ------------------------------------------------------------------------------
130 <IfModule mod_mime.c>
133 AddType audio/mp4 m4a f4a f4b
134 AddType audio/ogg oga ogg
137 # Normalize to standard type (it's sniffed in IE anyways):
138 # http://tools.ietf.org/html/rfc4329#section-7.2
139 AddType application/javascript js jsonp
140 AddType application/json json
143 AddType video/mp4 mp4 m4v f4v f4p
144 AddType video/ogg ogv
145 AddType video/webm webm
146 AddType video/x-flv flv
149 AddType application/font-woff woff
150 AddType application/vnd.ms-fontobject eot
152 # Browsers usually ignore the font MIME types and sniff the content,
153 # however, Chrome shows a warning if other MIME types are used for the
155 AddType application/x-font-ttf ttc ttf
156 AddType font/opentype otf
158 # Make SVGZ fonts work on iPad:
159 # https://twitter.com/FontSquirrel/status/14855840545
160 AddType image/svg+xml svg svgz
161 AddEncoding gzip svgz
164 AddType application/octet-stream safariextz
165 AddType application/x-chrome-extension crx
166 AddType application/x-opera-extension oex
167 AddType application/x-shockwave-flash swf
168 AddType application/x-web-app-manifest+json webapp
169 AddType application/x-xpinstall xpi
170 AddType application/xml atom rdf rss xml
171 AddType image/webp webp
172 AddType image/x-icon ico
173 AddType text/cache-manifest appcache manifest
175 AddType text/x-component htc
176 AddType text/x-vcard vcf
180 # ------------------------------------------------------------------------------
182 # ------------------------------------------------------------------------------
184 # Use UTF-8 encoding for anything served as `text/html` or `text/plain`.
185 AddDefaultCharset utf-8
187 # Force UTF-8 for certain file formats.
188 <IfModule mod_mime.c>
189 AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml
193 # ##############################################################################
195 # ##############################################################################
197 # ------------------------------------------------------------------------------
199 # ------------------------------------------------------------------------------
201 # Turning on the rewrite engine and enabling the `FollowSymLinks` option is
202 # necessary for the following directives to work.
204 # If your web host doesn't allow the `FollowSymlinks` option, you may need to
205 # comment it out and use `Options +SymLinksIfOwnerMatch` but, be aware of the
206 # performance impact: http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
208 # Also, some cloud hosting services require `RewriteBase` to be set:
209 # http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-mod-rewrite-not-working-on-my-site
211 <IfModule mod_rewrite.c>
212 Options +FollowSymlinks
213 # Options +SymLinksIfOwnerMatch
218 # ------------------------------------------------------------------------------
219 # | Suppressing / Forcing the "www." at the beginning of URLs |
220 # ------------------------------------------------------------------------------
222 # The same content should never be available under two different URLs especially
223 # not with and without "www." at the beginning. This can cause SEO problems
224 # (duplicate content), therefore, you should choose one of the alternatives and
225 # redirect the other one.
227 # By default option 1 (no "www.") is activated:
228 # http://no-www.org/faq.php?q=class_b
230 # If you'd prefer to use option 2, just comment out all the lines from option 1
231 # and uncomment the ones from option 2.
233 # IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
235 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
237 # Option 1: rewrite www.example.com → example.com
239 <IfModule mod_rewrite.c>
240 RewriteCond %{HTTPS} !=on
241 RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
242 RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
245 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
247 # Option 2: rewrite example.com → www.example.com
249 # Be aware that the following might not be a good idea if you use "real"
250 # subdomains for certain parts of your website.
252 # <IfModule mod_rewrite.c>
253 # RewriteCond %{HTTPS} !=on
254 # RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
255 # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
259 # ##############################################################################
261 # ##############################################################################
263 # ------------------------------------------------------------------------------
264 # | Content Security Policy (CSP) |
265 # ------------------------------------------------------------------------------
267 # You can mitigate the risk of cross-site scripting and other content-injection
268 # attacks by setting a Content Security Policy which whitelists trusted sources
269 # of content for your site.
271 # The example header below allows ONLY scripts that are loaded from the current
272 # site's origin (no inline scripts, no CDN, etc). This almost certainly won't
273 # work as-is for your site!
275 # To get all the details you'll need to craft a reasonable policy for your site,
276 # read: http://html5rocks.com/en/tutorials/security/content-security-policy (or
277 # see the specification: http://w3.org/TR/CSP).
279 # <IfModule mod_headers.c>
280 # Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
281 # <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svg|svgz|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
282 # Header unset Content-Security-Policy
286 # ------------------------------------------------------------------------------
288 # ------------------------------------------------------------------------------
290 # Block access to directories without a default document.
291 # Usually you should leave this uncommented because you shouldn't allow anyone
292 # to surf through every directory on your server (which may includes rather
293 # private places like the CMS's directories).
295 <IfModule mod_autoindex.c>
299 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
301 # Block access to hidden files and directories.
302 # This includes directories used by version control systems such as Git and SVN.
304 <IfModule mod_rewrite.c>
305 RewriteCond %{SCRIPT_FILENAME} -d [OR]
306 RewriteCond %{SCRIPT_FILENAME} -f
307 RewriteRule "(^|/)\." - [F]
310 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
312 # Block access to backup and source files.
313 # These files may be left by some text editors and can pose a great security
314 # danger when anyone has access to them.
316 <FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
322 # ------------------------------------------------------------------------------
323 # | Secure Sockets Layer (SSL) |
324 # ------------------------------------------------------------------------------
326 # Rewrite secure requests properly to prevent SSL certificate warnings, e.g.:
327 # prevent `https://www.example.com` when your certificate only allows
328 # `https://secure.example.com`.
330 # <IfModule mod_rewrite.c>
331 # RewriteCond %{SERVER_PORT} !^443
332 # RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
335 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
337 # Force client-side SSL redirection.
339 # If a user types "example.com" in his browser, the above rule will redirect him
340 # to the secure version of the site. That still leaves a window of opportunity
341 # (the initial HTTP connection) for an attacker to downgrade or redirect the
342 # request. The following header ensures that browser will ONLY connect to your
343 # server via HTTPS, regardless of what the users type in the address bar.
344 # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
346 # <IfModule mod_headers.c>
347 # Header set Strict-Transport-Security max-age=16070400;
350 # ------------------------------------------------------------------------------
351 # | Server software information |
352 # ------------------------------------------------------------------------------
354 # Avoid displaying the exact Apache version number, the description of the
355 # generic OS-type and the information about Apache's compiled-in modules.
357 # ADD THIS DIRECTIVE IN THE `httpd.conf` AS IT WILL NOT WORK IN THE `.htaccess`!
362 # ##############################################################################
363 # # WEB PERFORMANCE #
364 # ##############################################################################
366 # ------------------------------------------------------------------------------
368 # ------------------------------------------------------------------------------
370 <IfModule mod_deflate.c>
372 # Force compression for mangled headers.
373 # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
374 <IfModule mod_setenvif.c>
375 <IfModule mod_headers.c>
376 SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
377 RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
381 # Compress all output labeled with one of the following MIME-types
382 # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
383 # and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
384 # as `AddOutputFilterByType` is still in the core directives).
385 <IfModule mod_filter.c>
386 AddOutputFilterByType DEFLATE application/atom+xml \
387 application/javascript \
389 application/rss+xml \
390 application/vnd.ms-fontobject \
391 application/x-font-ttf \
392 application/x-web-app-manifest+json \
393 application/xhtml+xml \
407 # ------------------------------------------------------------------------------
408 # | Content transformations |
409 # ------------------------------------------------------------------------------
411 # Prevent some of the mobile network providers from modifying the content of
412 # your site: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5.
414 # <IfModule mod_headers.c>
415 # Header set Cache-Control "no-transform"
418 # ------------------------------------------------------------------------------
420 # ------------------------------------------------------------------------------
422 # Since we're sending far-future expires headers (see below), ETags can
423 # be removed: http://developer.yahoo.com/performance/rules.html#etags.
425 # `FileETag None` is not enough for every server.
426 <IfModule mod_headers.c>
432 # ------------------------------------------------------------------------------
433 # | Expires headers (for better cache control) |
434 # ------------------------------------------------------------------------------
436 # The following expires headers are set pretty far in the future. If you don't
437 # control versioning with filename-based cache busting, consider lowering the
438 # cache time for resources like CSS and JS to something like 1 week.
440 <IfModule mod_expires.c>
443 ExpiresDefault "access plus 1 month"
446 ExpiresByType text/css "access plus 1 year"
449 ExpiresByType application/json "access plus 0 seconds"
450 ExpiresByType application/xml "access plus 0 seconds"
451 ExpiresByType text/xml "access plus 0 seconds"
453 # Favicon (cannot be renamed!)
454 ExpiresByType image/x-icon "access plus 1 week"
456 # HTML components (HTCs)
457 ExpiresByType text/x-component "access plus 1 month"
460 ExpiresByType text/html "access plus 0 seconds"
463 ExpiresByType application/javascript "access plus 1 year"
466 ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
467 ExpiresByType text/cache-manifest "access plus 0 seconds"
470 ExpiresByType audio/ogg "access plus 1 month"
471 ExpiresByType image/gif "access plus 1 month"
472 ExpiresByType image/jpeg "access plus 1 month"
473 ExpiresByType image/png "access plus 1 month"
474 ExpiresByType video/mp4 "access plus 1 month"
475 ExpiresByType video/ogg "access plus 1 month"
476 ExpiresByType video/webm "access plus 1 month"
479 ExpiresByType application/atom+xml "access plus 1 hour"
480 ExpiresByType application/rss+xml "access plus 1 hour"
483 ExpiresByType application/font-woff "access plus 1 month"
484 ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
485 ExpiresByType application/x-font-ttf "access plus 1 month"
486 ExpiresByType font/opentype "access plus 1 month"
487 ExpiresByType image/svg+xml "access plus 1 month"
491 # ------------------------------------------------------------------------------
492 # | Filename-based cache busting |
493 # ------------------------------------------------------------------------------
495 # If you're not using a build process to manage your filename version revving,
496 # you might want to consider enabling the following directives to route all
497 # requests such as `/css/style.12345.css` to `/css/style.css`.
499 # To understand why this is important and a better idea than `*.css?v231`, read:
500 # http://stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring
502 # <IfModule mod_rewrite.c>
503 # RewriteCond %{REQUEST_FILENAME} !-f
504 # RewriteCond %{REQUEST_FILENAME} !-d
505 # RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L]
508 # ------------------------------------------------------------------------------
509 # | File concatenation |
510 # ------------------------------------------------------------------------------
512 # Allow concatenation from within specific CSS and JS files, e.g.:
513 # Inside of `script.combined.js` you could have
514 # <!--#include file="libs/jquery.js" -->
515 # <!--#include file="plugins/jquery.idletimer.js" -->
516 # and they would be included into this single file.
518 # <IfModule mod_include.c>
519 # <FilesMatch "\.combined\.js$">
521 # AddOutputFilterByType INCLUDES application/javascript application/json
522 # SetOutputFilter INCLUDES
524 # <FilesMatch "\.combined\.css$">
526 # AddOutputFilterByType INCLUDES text/css
527 # SetOutputFilter INCLUDES
531 # ------------------------------------------------------------------------------
532 # | Persistent connections |
533 # ------------------------------------------------------------------------------
535 # Allow multiple requests to be sent over the same TCP connection:
536 # http://httpd.apache.org/docs/current/en/mod/core.html#keepalive.
538 # Enable if you serve a lot of static content but, be aware of the
539 # possible disadvantages!
541 # <IfModule mod_headers.c>
542 # Header set Connection Keep-Alive