From b3f5803d99e1d39e2c91686ea4dc9003ebe22da3 Mon Sep 17 00:00:00 2001 From: alrra Date: Tue, 2 Apr 2013 00:34:53 +0300 Subject: [PATCH 1/9] =?UTF-8?q?[iis]=20Change=20`font/otf`=20=E2=86=92=20`?= =?UTF-8?q?font/opentype`?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit References: h5bp/html5-boilerplate#1317 --- iis/README.md | 2 +- iis/dotnet 3/web.config | 2 +- iis/dotnet 4/mvc4 & mvc4api/web.config | 2 +- iis/dotnet 4/webforms/web.config | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/iis/README.md b/iis/README.md index 9a286ad..9686b10 100644 --- a/iis/README.md +++ b/iis/README.md @@ -125,7 +125,7 @@ Required for SVG Webfonts on iPad. ```xml - + ``` diff --git a/iis/dotnet 3/web.config b/iis/dotnet 3/web.config index 97667f9..1f2f26e 100644 --- a/iis/dotnet 3/web.config +++ b/iis/dotnet 3/web.config @@ -136,7 +136,7 @@ - + diff --git a/iis/dotnet 4/mvc4 & mvc4api/web.config b/iis/dotnet 4/mvc4 & mvc4api/web.config index 556b9b0..388fe6b 100644 --- a/iis/dotnet 4/mvc4 & mvc4api/web.config +++ b/iis/dotnet 4/mvc4 & mvc4api/web.config @@ -116,7 +116,7 @@ - + diff --git a/iis/dotnet 4/webforms/web.config b/iis/dotnet 4/webforms/web.config index 95961c2..31d34d3 100644 --- a/iis/dotnet 4/webforms/web.config +++ b/iis/dotnet 4/webforms/web.config @@ -98,7 +98,7 @@ - + From bccd592886c8b63cee5727ab22bea37b9f155511 Mon Sep 17 00:00:00 2001 From: alrra Date: Tue, 2 Apr 2013 09:35:36 +0300 Subject: [PATCH 2/9] [nginx] Remove `text/html` from `gzip_types` Fix: #144. --- nginx/nginx.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index f1b7b04..108ea8d 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -109,7 +109,6 @@ http { image/svg+xml image/x-icon text/css - text/html text/plain text/x-component; # text/html is always compressed by HttpGzipModule From bb8fbd699d7b5626112edeb5094c06863b615e49 Mon Sep 17 00:00:00 2001 From: alrra Date: Fri, 5 Apr 2013 17:08:42 +0300 Subject: [PATCH 3/9] [apache] Update docs on required modules --- apache/README.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/apache/README.md b/apache/README.md index 9979050..288ae56 100644 --- a/apache/README.md +++ b/apache/README.md @@ -7,13 +7,15 @@ can be applied in the `.htaccess` file. **First, you'll want to have these modules enabled for optimum performance:** -* `mod_setenvif.c` (setenvif_module) -* `mod_headers.c` (headers_module) -* `mod_deflate.c` (deflate_module) -* `mod_filter.c` (filter_module) -* `mod_expires.c` (expires_module) -* `mod_rewrite.c` (rewrite_module) - +* [`mod_autoindex.c` (autoindex_module)](http://httpd.apache.org/docs/current/mod/mod_autoindex.html) +* [`mod_deflate.c` (deflate_module)](http://httpd.apache.org/docs/current/mod/mod_deflate.html) +* [`mod_expires.c` (expires_module)](http://httpd.apache.org/docs/current/mod/mod_expires.html) +* [`mod_filter.c` (filter_module)](http://httpd.apache.org/docs/current/mod/mod_filter.html) +* [`mod_headers.c` (headers_module)](http://httpd.apache.org/docs/current/mod/mod_headers.html) +* [`mod_include.c` (include_module)](http://httpd.apache.org/docs/current/mod/mod_include.html) +* [`mod_mime.c` (mime_module)](http://httpd.apache.org/docs/current/mod/mod_mime.html) +* [`mod_rewrite.c` (rewrite_module)](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) +* [`mod_setenvif.c` (setenvif_module)](http://httpd.apache.org/docs/current/mod/mod_setenvif.html) ## On Windows From 17152fc32d9370cb47cd72321a5ec614214fc12e Mon Sep 17 00:00:00 2001 From: alrra Date: Fri, 19 Apr 2013 13:22:54 +0300 Subject: [PATCH 4/9] Update README.md --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 081cc10..ecf6c91 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,13 @@ -# [H5BP](http://h5bp.github.com) Server Configs +# [H5BP](http://h5bp.github.com)'s Server Configs *Best-practice server configurations* to help improve site performance. -* **Apache** -* **node.js** -* **IIS 7+** -* **IIS 6** - see `iis/IIS6-README.md` -* **nginx** -* **lighttpd** -* **Google AppEngine** +* **[Apache](https://github.com/h5bp/server-configs/tree/master/apache)** +* **[Google App Engine](https://github.com/h5bp/server-configs/tree/master/gae)** +* **[IIS 7+](https://github.com/h5bp/server-configs/tree/master/iis)** / **[IIS +6](https://github.com/h5bp/server-configs/blob/master/iis/IIS6-README.md)** +* **[lighttpd](https://github.com/h5bp/server-configs/tree/master/lighttpd)** +* **[nginx](https://github.com/h5bp/server-configs/tree/master/nginx)** +* **[Node.js](https://github.com/h5bp/node-server-config)** Please refer to the README's in each directory for more information. From 561c376d2717ede751730b0a6f4fe3a0c300b49f Mon Sep 17 00:00:00 2001 From: Matthew Brundage Date: Wed, 1 May 2013 13:23:55 -0300 Subject: [PATCH 5/9] [apache] More elegant way of matching `svg/svgz` --- apache/.htaccess | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apache/.htaccess b/apache/.htaccess index c0b9a24..86a524a 100644 --- a/apache/.htaccess +++ b/apache/.htaccess @@ -31,7 +31,7 @@ - + SetEnvIf Origin ":" IS_CORS Header set Access-Control-Allow-Origin "*" env=IS_CORS @@ -92,7 +92,7 @@ Options -MultiViews Header set X-UA-Compatible "IE=edge,chrome=1" # `mod_headers` can't match based on the content-type, however, we only # want to send this header for HTML pages and not for the other resources - + Header unset X-UA-Compatible @@ -279,7 +279,7 @@ AddDefaultCharset utf-8 # # Header set Content-Security-Policy "script-src 'self'; object-src 'self'" -# +# # Header unset Content-Security-Policy # # From 22f0214c7915aa38522286cfe5a768d69dd53183 Mon Sep 17 00:00:00 2001 From: Niklas Ekman Date: Tue, 28 May 2013 23:36:13 +0300 Subject: [PATCH 6/9] [lighttpd] Security enhancements - Avoid revealing the server name and version number - Disable directory listing Ref: h5bp/server-configs#150 --- lighttpd/lighttpd.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lighttpd/lighttpd.conf b/lighttpd/lighttpd.conf index fc919de..8d89dda 100644 --- a/lighttpd/lighttpd.conf +++ b/lighttpd/lighttpd.conf @@ -12,6 +12,12 @@ server.pid-file = "/var/run/lighttpd/lighttpd.pid" # mod_simple_vhost module. server.document-root = "/var/www/sites/go/here/" +# Avoid revealing the server name and version number +server.tag = "" + +# Disable directory listing +server.dir-listing = "disable" + # Modules to load # at least mod_access and mod_accesslog should be loaded # mod_expire should go above mod_compress (and mod_fcgi if you use it) From f25e4983cde1bf437c466bd98e46972573853eac Mon Sep 17 00:00:00 2001 From: Thomas Parisot Date: Wed, 29 May 2013 14:34:00 +0300 Subject: [PATCH 7/9] [apache] Add `includeSubDomains` directive to HSTS The `includeSubDomains` optional directive allows the user to apply the `HTTP Strict Transport Security` rule to all of the site's subdomains: * http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1 * https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security Ref: h5bp/server-configs#151 --- apache/.htaccess | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/apache/.htaccess b/apache/.htaccess index 86a524a..b5153f4 100644 --- a/apache/.htaccess +++ b/apache/.htaccess @@ -333,19 +333,25 @@ AddDefaultCharset utf-8 # RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L] # -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# ------------------------------------------------------------------------------ +# | HTTP Strict Transport Security (HSTS) | +# ------------------------------------------------------------------------------ # Force client-side SSL redirection. -# If a user types "example.com" in his browser, the above rule will redirect him -# to the secure version of the site. That still leaves a window of opportunity -# (the initial HTTP connection) for an attacker to downgrade or redirect the -# request. The following header ensures that browser will ONLY connect to your -# server via HTTPS, regardless of what the users type in the address bar. +# If a user types "example.com" in his browser, the above rule will redirect +# him to the secure version of the site. That still leaves a window of oppor- +# tunity (the initial HTTP connection) for an attacker to downgrade or redirect +# the request. The following header ensures that browser will ONLY connect to +# your server via HTTPS, regardless of what the users type in the address bar. +# http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1 # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/ +# (!) Remove the `includeSubDomains` optional directive if the subdomains are +# not using HTTPS. + # -# Header set Strict-Transport-Security max-age=16070400; +# Header set Strict-Transport-Security "max-age=16070400; includeSubDomains" # # ------------------------------------------------------------------------------ From e7ad187eda2617d2cb1222d7e95c2a3b3da2c27b Mon Sep 17 00:00:00 2001 From: rwblackburn Date: Thu, 6 Jun 2013 21:08:44 -0400 Subject: [PATCH 8/9] [apache] Fix rewrite rule conditions for localhost Add `localhost` and `127.0.0.1` exceptions to the rewrite rule condi- tions that prepend `www.` to URLs, as the current rules prevent users from being able to test locally. Closes h5bp/server-configs#152. --- apache/.htaccess | 2 ++ 1 file changed, 2 insertions(+) diff --git a/apache/.htaccess b/apache/.htaccess index b5153f4..e1916e7 100644 --- a/apache/.htaccess +++ b/apache/.htaccess @@ -253,6 +253,8 @@ AddDefaultCharset utf-8 # # RewriteCond %{HTTPS} !=on # RewriteCond %{HTTP_HOST} !^www\..+$ [NC] +# RewriteCond %{HTTP_HOST} !=localhost [NC] +# RewriteCond %{HTTP_HOST} !=127.0.0.1 # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # From 262fc85aee9aaa4b3e70d19548a789d65148c4e9 Mon Sep 17 00:00:00 2001 From: Roland Warmerdam Date: Tue, 18 Jun 2013 22:13:04 +1200 Subject: [PATCH 9/9] Remove all Google Chrome Frame related config http://blog.chromium.org/2013/06/retiring-chrome-frame.html --- apache/.htaccess | 3 +-- gae/app.yaml | 2 +- gae/gae.py | 2 +- iis/IIS6-README.md | 2 +- iis/README.md | 2 +- iis/dotnet 3/web.config | 3 +-- iis/dotnet 4/mvc4 & mvc4api/web.config | 3 +-- iis/dotnet 4/webforms/web.config | 3 +-- lighttpd/lighttpd.conf | 2 +- nginx/conf/x-ua-compatible.conf | 3 +-- test/.htaccess | 3 +-- test/tests.json | 8 ++++---- 12 files changed, 15 insertions(+), 21 deletions(-) diff --git a/apache/.htaccess b/apache/.htaccess index e1916e7..7290b3c 100644 --- a/apache/.htaccess +++ b/apache/.htaccess @@ -86,10 +86,9 @@ Options -MultiViews # Force IE to render pages in the highest available mode in the various # cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf. -# Use, if installed, Google Chrome Frame. - Header set X-UA-Compatible "IE=edge,chrome=1" + Header set X-UA-Compatible "IE=edge" # `mod_headers` can't match based on the content-type, however, we only # want to send this header for HTML pages and not for the other resources diff --git a/gae/app.yaml b/gae/app.yaml index 3c98167..a299c20 100644 --- a/gae/app.yaml +++ b/gae/app.yaml @@ -79,7 +79,7 @@ handlers: http_headers: # Better website experience for IE users - X-UA-Compatible: "IE=edge,chrome=1" + X-UA-Compatible: "IE=edge" # Content Security Policy (CSP) #Content-Security-Policy: "script-src 'self'; object-src 'self'" diff --git a/gae/gae.py b/gae/gae.py index ba43d68..18a0652 100644 --- a/gae/gae.py +++ b/gae/gae.py @@ -9,7 +9,7 @@ def get(self): else: path = '%s/index.html'%self.request.url - self.response.headers.add_header('X-UA-Compatible', 'IE=edge,chrome=1') + self.response.headers.add_header('X-UA-Compatible', 'IE=edge') self.redirect(path) def post(self): diff --git a/iis/IIS6-README.md b/iis/IIS6-README.md index dabf158..e46358e 100644 --- a/iis/IIS6-README.md +++ b/iis/IIS6-README.md @@ -205,7 +205,7 @@ Force the latest IE version, in various cases when it may fall back to IE7 mode http://github.com/rails/rails/commit/123eb25#commitcomment-118920 ``` -X-UA-Compatible : IE=Edge,chrome=1 +X-UA-Compatible : IE=Edge ``` #### 2.3.3 P3P (handy when your using Facebook API/Connect) diff --git a/iis/README.md b/iis/README.md index 9686b10..beb8c4a 100644 --- a/iis/README.md +++ b/iis/README.md @@ -72,7 +72,7 @@ served to show customized error message. **5. Force the latest IE version** ```xml - + ``` Force the latest IE version, in various cases when it may fall back to IE7 diff --git a/iis/dotnet 3/web.config b/iis/dotnet 3/web.config index 1f2f26e..30f6faa 100644 --- a/iis/dotnet 3/web.config +++ b/iis/dotnet 3/web.config @@ -239,9 +239,8 @@ - + - + - +