# ---------------------------------------------------------------------- # ---------------------------------------------------------------------- # STRONG HTACCESS PROTECTION # GO TO /etc/apache2/conf-enabled/security.conf AND SET ServerTokens Prod # ---------------------------------------------------------------------- # ---------------------------------------------------------------------- # | File access | # ---------------------------------------------------------------------- Options -Indexes # Error prevention Options -MultiViews # Server software information ServerSignature Off FileETag None # Character encodings AddDefaultCharset utf-8 # ---------------------------------------------------------------------- # | Server-side technology information # ---------------------------------------------------------------------- #Cross-origin web fonts Header set Access-Control-Allow-Origin "*" Header set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i" # `mod_headers` cannot match based on the content-type, however, # the `X-UA-Compatible` response header should be sent only for # HTML documents and not for the other resources. Header unset X-UA-Compatible # | Reflected Cross-Site Scripting (XSS) attacks Header set X-XSS-Protection "1; mode=block" # `mod_headers` cannot match based on the content-type, however, # the `X-XSS-Protection` response header should be sent only for # HTML documents and not for the other resources. Header unset X-XSS-Protection Header always set X-Frame-Options "SAMEORIGIN" Header append X-FRAME-OPTIONS "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header unset X-Powered-By Header always unset X-Powered-By Header unset ETag # Block access to files that can expose sensitive information. Require all denied # ###################################################################### # # WEB PERFORMANCE # # ###################################################################### # ---------------------------------------------------------------------- # | Compression | # ---------------------------------------------------------------------- SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding AddOutputFilterByType DEFLATE "application/atom+xml" \ "application/javascript" \ "application/json" \ "application/ld+json" \ "application/manifest+json" \ "application/rdf+xml" \ "application/rss+xml" \ "application/schema+json" \ "application/vnd.geo+json" \ "application/vnd.ms-fontobject" \ "application/wasm" \ "application/x-font-ttf" \ "application/x-javascript" \ "application/x-web-app-manifest+json" \ "application/xhtml+xml" \ "application/xml" \ "font/collection" \ "font/eot" \ "font/opentype" \ "font/otf" \ "font/ttf" \ "image/bmp" \ "image/svg+xml" \ "image/vnd.microsoft.icon" \ "image/x-icon" \ "text/cache-manifest" \ "text/calendar" \ "text/css" \ "text/html" \ "text/javascript" \ "text/plain" \ "text/markdown" \ "text/vcard" \ "text/vnd.rim.location.xloc" \ "text/vtt" \ "text/x-component" \ "text/x-cross-domain-policy" \ "text/xml" AddEncoding gzip svgz Header append Vary User-Agent env=!dont-vary # Remove browser bugs (only needed for really old browsers) BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html Header append Vary User-Agent # ---------------------------------------------------------------------- # | GZip pre-compressed content | # ---------------------------------------------------------------------- RewriteCond %{HTTP:Accept-Encoding} gzip RewriteCond %{REQUEST_FILENAME}\.gz -f RewriteRule \.(css|ics|js|json|html|svg)$ %{REQUEST_URI}.gz [L] # Prevent mod_deflate double gzip RewriteRule \.gz$ - [E=no-gzip:1] # Serve correct content types # (1) RemoveType gz # Serve correct content types AddType text/css css.gz AddType text/calendar ics.gz AddType text/javascript js.gz AddType application/json json.gz AddType text/html html.gz AddType image/svg+xml svg.gz # Serve correct content charset AddCharset utf-8 .css.gz \ .ics.gz \ .js.gz \ .json.gz # Force proxies to cache gzipped and non-gzipped files separately Header append Vary Accept-Encoding # Serve correct encoding type AddEncoding gzip .gz # ---------------------------------------------------------------------- # | Remove Last-Modified # | https://www.askapache.com/htaccess/apache-speed-last-modified/#Remove_Last-Modified_Header | # ---------------------------------------------------------------------- Header unset Last-Modified # ---------------------------------------------------------------------- # | Cache expiration | # ---------------------------------------------------------------------- ExpiresActive on ExpiresDefault "access plus 1 month" # CSS ExpiresByType text/css "access plus 1 month" # Data interchange ExpiresByType application/atom+xml "access plus 1 hour" ExpiresByType application/rdf+xml "access plus 1 hour" ExpiresByType application/rss+xml "access plus 1 hour" ExpiresByType application/json "access plus 600 seconds" ExpiresByType application/ld+json "access plus 600 seconds" ExpiresByType application/schema+json "access plus 600 seconds" ExpiresByType application/vnd.geo+json "access plus 600 seconds" ExpiresByType application/xml "access plus 600 seconds" ExpiresByType text/calendar "access plus 600 seconds" ExpiresByType text/xml "access plus 600 seconds" # Favicon (cannot be renamed!) and cursor images ExpiresByType image/vnd.microsoft.icon "access plus 1 year" ExpiresByType image/x-icon "access plus 1 year" # HTML ExpiresByType text/html "access plus 600 seconds" # JavaScript ExpiresByType application/javascript "access plus 1 year" ExpiresByType application/x-javascript "access plus 1 year" ExpiresByType text/javascript "access plus 1 year" # Manifest files ExpiresByType application/manifest+json "access plus 1 year" ExpiresByType application/x-web-app-manifest+json "access plus 1 year" ExpiresByType text/cache-manifest "access plus 1 year" # Markdown ExpiresByType text/markdown "access plus 600 seconds" # Media files ExpiresByType audio/ogg "access plus 1 year" ExpiresByType image/bmp "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType image/svg+xml "access plus 1 year" ExpiresByType image/webp "access plus 1 year" ExpiresByType video/mp4 "access plus 1 year" ExpiresByType video/ogg "access plus 1 year" ExpiresByType video/webm "access plus 1 year" # WebAssembly ExpiresByType application/wasm "access plus 1 year" # Web fonts # Collection ExpiresByType font/collection "access plus 1 year" # Embedded OpenType (EOT) ExpiresByType application/vnd.ms-fontobject "access plus 1 year" ExpiresByType font/eot "access plus 1 year" # OpenType ExpiresByType font/opentype "access plus 1 year" ExpiresByType font/otf "access plus 1 year" # TrueType ExpiresByType application/x-font-ttf "access plus 1 year" ExpiresByType font/ttf "access plus 1 year" # Web Open Font Format (WOFF) 1.0 ExpiresByType application/font-woff "access plus 1 year" ExpiresByType application/x-font-woff "access plus 1 year" ExpiresByType font/woff "access plus 1 year" # Web Open Font Format (WOFF) 2.0 ExpiresByType application/font-woff2 "access plus 1 year" ExpiresByType font/woff2 "access plus 1 year" # Other ExpiresByType text/x-cross-domain-policy "access plus 1 week" # CACHE CONTROL # The past day for default of all content Header set Cache-Control "max-age=600, public" # 5 Mins for HTML Header set Cache-Control "max-age=600, public" # One month for css and js Header set Cache-Control "max-age=31536000, public" # One year for image files Header set Cache-Control "max-age=31536000, public" mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file \.(html?|txt|css|js|svg)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_include mime ^image/svg+xml.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* # ---------------------------------------------------------------------- # | Cross-origin images | # ---------------------------------------------------------------------- SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS # ###################################################################### # # MEDIA TYPES AND CHARACTER ENCODINGS # # ###################################################################### # ---------------------------------------------------------------------- # | Media types | # ---------------------------------------------------------------------- # Data interchange AddType application/atom+xml atom AddType application/json json map topojson AddType application/ld+json jsonld AddType application/rss+xml rss AddType application/vnd.geo+json geojson AddType application/xml rdf xml # JavaScript # Servers should use text/javascript for JavaScript resources. # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages AddType text/javascript js mjs # Manifest files AddType application/manifest+json webmanifest AddType application/x-web-app-manifest+json webapp AddType text/cache-manifest appcache # Media files AddType audio/mp4 f4a f4b m4a AddType audio/ogg oga ogg opus AddType image/bmp bmp AddType image/svg+xml svg svgz AddType image/webp webp AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv AddType video/webm webm AddType video/x-flv flv # Serving `.ico` image files with a different media type # prevents Internet Explorer from displaying them as images: # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee AddType image/x-icon cur ico # WebAssembly AddType application/wasm wasm # Web fonts AddType font/woff woff AddType font/woff2 woff2 AddType application/vnd.ms-fontobject eot AddType font/ttf ttf AddType font/collection ttc AddType font/otf otf # Other AddType application/octet-stream safariextz AddType application/x-bb-appworld bbaw AddType application/x-chrome-extension crx AddType application/x-opera-extension oex AddType application/x-xpinstall xpi AddType text/calendar ics AddType text/markdown markdown md AddType text/vcard vcard vcf AddType text/vnd.rim.location.xloc xloc AddType text/vtt vtt AddType text/x-component htc AddCharset utf-8 .atom \ .bbaw \ .css \ .geojson \ .ics \ .js \ .json \ .jsonld \ .manifest \ .markdown \ .md \ .mjs \ .rdf \ .rss \ .topojson \ .vtt \ .webapp \ .webmanifest \ .xloc \ .xml