Remove all Google Chrome Frame related config

README.md

@@ -1,13 +1,13 @@
-# [H5BP](http://h5bp.github.com) Server Configs
+# [H5BP](http://h5bp.github.com)'s Server Configs
 
 *Best-practice server configurations* to help improve site performance.
 
-* **Apache**
-* **node.js**
-* **IIS 7+**
-* **IIS 6** - see `iis/IIS6-README.md`
-* **nginx**
-* **lighttpd**
-* **Google AppEngine**
+* **[Apache](https://github.com/h5bp/server-configs/tree/master/apache)**
+* **[Google App Engine](https://github.com/h5bp/server-configs/tree/master/gae)**
+* **[IIS 7+](https://github.com/h5bp/server-configs/tree/master/iis)** / **[IIS
+6](https://github.com/h5bp/server-configs/blob/master/iis/IIS6-README.md)**
+* **[lighttpd](https://github.com/h5bp/server-configs/tree/master/lighttpd)**
+* **[nginx](https://github.com/h5bp/server-configs/tree/master/nginx)**
+* **[Node.js](https://github.com/h5bp/node-server-config)**
 
 Please refer to the README's in each directory for more information.

apache/.htaccess

@@ -31,7 +31,7 @@
 
 <IfModule mod_setenvif.c>
     <IfModule mod_headers.c>
-        <FilesMatch "\.(gif|ico|jpe?g|png|svg|svgz|webp)$">
+        <FilesMatch "\.(gif|ico|jpe?g|png|svgz?|webp)$">
             SetEnvIf Origin ":" IS_CORS
             Header set Access-Control-Allow-Origin "*" env=IS_CORS
         </FilesMatch>
@@ -86,13 +86,12 @@ Options -MultiViews
 
 # Force IE to render pages in the highest available mode in the various
 # cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf.
-# Use, if installed, Google Chrome Frame.
 
 <IfModule mod_headers.c>
-    Header set X-UA-Compatible "IE=edge,chrome=1"
+    Header set X-UA-Compatible "IE=edge"
     # `mod_headers` can't match based on the content-type, however, we only
     # want to send this header for HTML pages and not for the other resources
-    <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svg|svgz|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
+    <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
         Header unset X-UA-Compatible
     </FilesMatch>
 </IfModule>
@@ -253,6 +252,8 @@ AddDefaultCharset utf-8
 # <IfModule mod_rewrite.c>
 #    RewriteCond %{HTTPS} !=on
 #    RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
+#    RewriteCond %{HTTP_HOST} !=localhost [NC]
+#    RewriteCond %{HTTP_HOST} !=127.0.0.1
 #    RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
 # </IfModule>
 
@@ -279,7 +280,7 @@ AddDefaultCharset utf-8
 
 # <IfModule mod_headers.c>
 #    Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
-#    <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svg|svgz|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
+#    <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
 #        Header unset Content-Security-Policy
 #    </FilesMatch>
 # </IfModule>
@@ -333,19 +334,25 @@ AddDefaultCharset utf-8
 #    RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
 # </IfModule>
 
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# ------------------------------------------------------------------------------
+# | HTTP Strict Transport Security (HSTS)                                      |
+# ------------------------------------------------------------------------------
 
 # Force client-side SSL redirection.
 
-# If a user types "example.com" in his browser, the above rule will redirect him
-# to the secure version of the site. That still leaves a window of opportunity
-# (the initial HTTP connection) for an attacker to downgrade or redirect the
-# request. The following header ensures that browser will ONLY connect to your
-# server via HTTPS, regardless of what the users type in the address bar.
+# If a user types "example.com" in his browser, the above rule will redirect
+# him to the secure version of the site. That still leaves a window of oppor-
+# tunity (the initial HTTP connection) for an attacker to downgrade or redirect
+# the request. The following header ensures that browser will ONLY connect to
+# your server via HTTPS, regardless of what the users type in the address bar.
+# http://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-14#section-6.1
 # http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
 
+# (!) Remove the `includeSubDomains` optional directive if the subdomains are
+# not using HTTPS.
+
 # <IfModule mod_headers.c>
-#    Header set Strict-Transport-Security max-age=16070400;
+#    Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
 # </IfModule>
 
 # ------------------------------------------------------------------------------

apache/README.md

@@ -7,13 +7,15 @@ can be applied in the `.htaccess` file.
 
 **First, you'll want to have these modules enabled for optimum performance:**
 
-* `mod_setenvif.c` (setenvif_module)
-* `mod_headers.c` (headers_module)
-* `mod_deflate.c` (deflate_module)
-* `mod_filter.c` (filter_module)
-* `mod_expires.c` (expires_module)
-* `mod_rewrite.c` (rewrite_module)
-
+* [`mod_autoindex.c` (autoindex_module)](http://httpd.apache.org/docs/current/mod/mod_autoindex.html)
+* [`mod_deflate.c` (deflate_module)](http://httpd.apache.org/docs/current/mod/mod_deflate.html)
+* [`mod_expires.c` (expires_module)](http://httpd.apache.org/docs/current/mod/mod_expires.html)
+* [`mod_filter.c` (filter_module)](http://httpd.apache.org/docs/current/mod/mod_filter.html)
+* [`mod_headers.c` (headers_module)](http://httpd.apache.org/docs/current/mod/mod_headers.html)
+* [`mod_include.c` (include_module)](http://httpd.apache.org/docs/current/mod/mod_include.html)
+* [`mod_mime.c` (mime_module)](http://httpd.apache.org/docs/current/mod/mod_mime.html)
+* [`mod_rewrite.c` (rewrite_module)](http://httpd.apache.org/docs/current/mod/mod_rewrite.html)
+* [`mod_setenvif.c` (setenvif_module)](http://httpd.apache.org/docs/current/mod/mod_setenvif.html)
 
 ## On Windows
 

gae/app.yaml

@@ -79,7 +79,7 @@ handlers:
   http_headers:
 
     # Better website experience for IE users
-    X-UA-Compatible: "IE=edge,chrome=1"
+    X-UA-Compatible: "IE=edge"
 
     # Content Security Policy (CSP)
     #Content-Security-Policy: "script-src 'self'; object-src 'self'"

gae/gae.py

@@ -9,7 +9,7 @@ def get(self):
         else:
             path = '%s/index.html'%self.request.url
 
-        self.response.headers.add_header('X-UA-Compatible', 'IE=edge,chrome=1')
+        self.response.headers.add_header('X-UA-Compatible', 'IE=edge')
         self.redirect(path)
 
     def post(self):

iis/IIS6-README.md

@@ -205,7 +205,7 @@ Force the latest IE version, in various cases when it may fall back to IE7 mode
 http://github.com/rails/rails/commit/123eb25#commitcomment-118920
 
 ```
-X-UA-Compatible : IE=Edge,chrome=1
+X-UA-Compatible : IE=Edge
 ```
 
 #### 2.3.3 P3P (handy when your using Facebook API/Connect)

iis/README.md

@@ -72,7 +72,7 @@ served to show customized error message.
 **5. Force the latest IE version**
 
 ```xml
-<add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
+<add name="X-UA-Compatible" value="IE=Edge" />
 ```
 
 Force the latest IE version, in various cases when it may fall back to IE7
@@ -125,7 +125,7 @@ Required for SVG Webfonts on iPad.
 ```xml
 <remove fileExtension=".eot" />
 <mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
-<mimeMap fileExtension=".otf" mimeType="font/otf" />
+<mimeMap fileExtension=".otf" mimeType="font/opentype" />
 <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
 ```
 

iis/dotnet 3/web.config

@@ -136,7 +136,7 @@
             <remove fileExtension=".ttc" />
             <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
             <remove fileExtension=".otf" />
-            <mimeMap fileExtension=".otf" mimeType="font/otf" />
+            <mimeMap fileExtension=".otf" mimeType="font/opentype" />
             <remove fileExtension=".woff" />
             <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
             <remove fileExtension=".crx" />
@@ -239,9 +239,8 @@
                 <!--
                 Force the latest IE version, in various cases when it may fall back to IE7 mode
                 github.com/rails/rails/commit/123eb25#commitcomment-118920
-                Use ChromeFrame if it's installed for a better experience for the poor IE folk
                 -->
-                <add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
+                <add name="X-UA-Compatible" value="IE=Edge" />
                 <!--
                 Allow cookies to be set from iframes (for IE only)
                 If needed, uncomment and specify a path or regex in the Location directive

iis/dotnet 4/mvc4 & mvc4api/web.config

@@ -116,7 +116,7 @@
             <remove fileExtension=".ttc" />
             <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
             <remove fileExtension=".otf" />
-            <mimeMap fileExtension=".otf" mimeType="font/otf" />
+            <mimeMap fileExtension=".otf" mimeType="font/opentype" />
             <remove fileExtension=".woff" />
             <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
             <remove fileExtension=".crx" />
@@ -219,9 +219,8 @@
                 <!--
                 Force the latest IE version, in various cases when it may fall back to IE7 mode
                 github.com/rails/rails/commit/123eb25#commitcomment-118920
-                Use ChromeFrame if it's installed for a better experience for the poor IE folk
                 -->
-                <add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
+                <add name="X-UA-Compatible" value="IE=Edge" />
                 <!--
                 Allow cookies to be set from iframes (for IE only)
                 If needed, uncomment and specify a path or regex in the Location directive

iis/dotnet 4/webforms/web.config

@@ -98,7 +98,7 @@
             <remove fileExtension=".ttc" />
             <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
             <remove fileExtension=".otf" />
-            <mimeMap fileExtension=".otf" mimeType="font/otf" />
+            <mimeMap fileExtension=".otf" mimeType="font/opentype" />
             <remove fileExtension=".woff" />
             <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
             <remove fileExtension=".crx" />
@@ -201,9 +201,8 @@
                 <!--
                 Force the latest IE version, in various cases when it may fall back to IE7 mode
                 github.com/rails/rails/commit/123eb25#commitcomment-118920
-                Use ChromeFrame if it's installed for a better experience for the poor IE folk
                 -->
-                <add name="X-UA-Compatible" value="IE=Edge,chrome=1" />
+                <add name="X-UA-Compatible" value="IE=Edge" />
                 <!--
                 Allow cookies to be set from iframes (for IE only)
                 If needed, uncomment and specify a path or regex in the Location directive

lighttpd/lighttpd.conf

@@ -12,6 +12,12 @@ server.pid-file = "/var/run/lighttpd/lighttpd.pid"
 # mod_simple_vhost module.
 server.document-root = "/var/www/sites/go/here/"
 
+# Avoid revealing the server name and version number
+server.tag = ""
+
+# Disable directory listing
+server.dir-listing = "disable"
+
 # Modules to load
 # at least mod_access and mod_accesslog should be loaded
 # mod_expire should go above mod_compress (and mod_fcgi if you use it)
@@ -27,7 +33,7 @@ server.modules = (
 
 # Sent Response Headers
 # opt-in to the future - remove meta tag from page
-setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge,chrome=1" )
+setenv.add-response-header = ( "X-UA-Compatible" => "IE=edge" )
 
 # File uploads
 # Make sure this folder exists and is writable to server.username

nginx/conf/x-ua-compatible.conf

@@ -1,3 +1,2 @@
 # Force the latest IE version
-# Use ChromeFrame if it's installed for a better experience for the poor IE folk
-add_header "X-UA-Compatible" "IE=Edge,chrome=1";
+add_header "X-UA-Compatible" "IE=Edge";

nginx/nginx.conf

@@ -109,7 +109,6 @@ http {
     image/svg+xml
     image/x-icon
     text/css
-    text/html
     text/plain
     text/x-component;
   # text/html is always compressed by HttpGzipModule

test/.htaccess

@@ -22,10 +22,9 @@
 
 # Force the latest IE version, in various cases when it may fall back to IE7 mode
 #  github.com/rails/rails/commit/123eb25#commitcomment-118920
-# Use ChromeFrame if it's installed for a better experience for the poor IE folk
 
 <IfModule mod_headers.c>
-  Header set X-UA-Compatible "IE=Edge,chrome=1"
+  Header set X-UA-Compatible "IE=Edge"
   # mod_headers can't match by content-type, but we don't want to send this header on *everything*...
   <FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
     Header unset X-UA-Compatible

test/tests.json

@@ -6,7 +6,7 @@
 	"gzip": true,
 	"expires": 0,
 	"headers": {
-		"X-UA-Compatible": "IE=Edge,chrome=1"
+		"X-UA-Compatible": "IE=Edge"
 	},
 	"noheaders": [
 		"ETag"
@@ -71,7 +71,7 @@
 	"gzip": true,
 	"expires": 0,
 	"headers": {
-		"X-UA-Compatible": "IE=Edge,chrome=1"
+		"X-UA-Compatible": "IE=Edge"
 	},
 	"noheaders": [
 		"ETag"
@@ -84,7 +84,7 @@
 	"gzip": true,
 	"expires": 0,
 	"headers": {
-		"X-UA-Compatible": "IE=Edge,chrome=1"
+		"X-UA-Compatible": "IE=Edge"
 	},
 	"noheaders": [
 		"ETag"
@@ -169,7 +169,7 @@
 	"gzip": true,
 	"expires": 0,
 	"headers": {
-		"X-UA-Compatible": "IE=Edge,chrome=1"
+		"X-UA-Compatible": "IE=Edge"
 	},
 	"noheaders": [
 		"ETag"