Skip to content

Commit

Permalink
Full documentation review
Browse files Browse the repository at this point in the history
  • Loading branch information
LeoColomb committed Jan 3, 2020
1 parent ea8c517 commit d8553ee
Show file tree
Hide file tree
Showing 33 changed files with 229 additions and 244 deletions.
33 changes: 16 additions & 17 deletions httpd.conf
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Configuration File - Apache Server Configs
# https://httpd.apache.org/docs/current/

# Sets the top of the directory tree under which the server's
# configuration, error, and log files are kept.
# Sets the top of the directory tree under which the server's configuration,
# error, and log files are kept.
# Do not add a slash at the end of the directory path.
# If you point ServerRoot at a non-local disk, be sure to specify
# a local disk on the Mutex directive, if file-based mutexes are used.
# If you wish to share the same ServerRoot for multiple httpd daemons,
# you will need to change at least PidFile.
# If you point ServerRoot at a non-local disk, be sure to specify a local disk
# on the Mutex directive, if file-based mutexes are used.
# If you wish to share the same ServerRoot for multiple httpd daemons, you will
# need to change at least PidFile.
# https://httpd.apache.org/docs/current/mod/core.html#serverroot
ServerRoot "/usr/local/apache2"

Expand Down Expand Up @@ -66,15 +66,15 @@ LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

# The location and format of the access logfile.
# If you *do* define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
# If you *do* define per-<VirtualHost> access logfiles, transactions will
# be logged therein and *not* in this file.
# https://httpd.apache.org/docs/current/mod/mod_log_config.html#customlog
CustomLog logs/access.log combined
</IfModule>

# Prevent Apache from sending in the `Server` response header its
# exact version number, the description of the generic OS-type or
# information about its compiled-in modules.
# Prevent Apache from sending its version number, the description of the
# generic OS-type or information about its compiled-in modules in the "Server"
# response header.
# https://httpd.apache.org/docs/current/mod/core.html#servertokens
ServerTokens Prod
Include h5bp/security/server_software_information.conf
Expand Down Expand Up @@ -122,12 +122,11 @@ Include h5bp/media_types/media_types.conf
# Set character encodings.
Include h5bp/media_types/character_encodings.conf

# On systems that support it, memory-mapping or the sendfile
# syscall may be used to deliver files.
# This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# On systems that support it, memory-mapping or the sendfile syscall may be
# used to deliver files.
# This usually improves server performance, but must be turned off when serving
# from networked-mounted filesystems or if support for these functions is
# otherwise broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
# https://httpd.apache.org/docs/current/mod/core.html#enablemmap
# https://httpd.apache.org/docs/current/mod/core.html#enablesendfile
Expand Down
7 changes: 7 additions & 0 deletions src/cross-origin/requests.conf
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,13 @@
# https://enable-cors.org/
# https://www.w3.org/TR/cors/

# (!) Do not use this without understanding the consequences.
# This will permit access from any other website.
# Instead of using this file, consider using a specific rule such as
# allowing access based on (sub)domain:
#
# Header set Access-Control-Allow-Origin "subdomain.example.com"

<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
7 changes: 3 additions & 4 deletions src/cross-origin/resource_timing.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,9 @@

# Allow cross-origin access to the timing information for all resources.
#
# If a resource isn't served with a `Timing-Allow-Origin` header that
# would allow its timing information to be shared with the document,
# some of the attributes of the `PerformanceResourceTiming` object will
# be set to zero.
# If a resource isn't served with a `Timing-Allow-Origin` header that would
# allow its timing information to be shared with the document, some of the
# attributes of the `PerformanceResourceTiming` object will be set to zero.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
# https://www.w3.org/TR/resource-timing/
Expand Down
4 changes: 2 additions & 2 deletions src/errors/error_prevention.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@

# Disable the pattern matching based on filenames.
#
# This setting prevents Apache from returning a 404 error as the result
# of a rewrite when the directory with the same name does not exist.
# This setting prevents Apache from returning a 404 error as the result of a
# rewrite when the directory with the same name does not exist.
#
# https://httpd.apache.org/docs/current/content-negotiation.html#multiviews

Expand Down
6 changes: 3 additions & 3 deletions src/internet_explorer/x-ua-compatible.conf
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
# https://hsivonen.fi/doctype/#ie8
#
# (!) Starting with Internet Explorer 11, document modes are deprecated.
# If your business still relies on older web apps and services that were
# designed for older versions of Internet Explorer, you might want to
# consider enabling `Enterprise Mode` throughout your company.
# If your business still relies on older web apps and services that were
# designed for older versions of Internet Explorer, you might want to
# consider enabling `Enterprise Mode` throughout your company.
#
# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
Expand Down
8 changes: 4 additions & 4 deletions src/media_types/character_encodings.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,17 @@
# | Character encodings |
# ----------------------------------------------------------------------

# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
# Serve all resources labeled as `text/html` or `text/plain` with the media type
# `charset` parameter set to `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset

AddDefaultCharset utf-8

# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

# Serve the following file types with the media type `charset`
# parameter set to `UTF-8`.
# Serve the following file types with the media type `charset` parameter set to
# `UTF-8`.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset

Expand Down
4 changes: 2 additions & 2 deletions src/media_types/media_types.conf
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,8 @@
AddType video/webm webm
AddType video/x-flv flv

# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying them as images:
# Serving `.ico` image files with a different media type prevents
# Internet Explorer from displaying them as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee

AddType image/x-icon cur ico
Expand Down
17 changes: 8 additions & 9 deletions src/rewrites/rewrite_engine.conf
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@
# | Rewrite engine |
# ----------------------------------------------------------------------

# (1) Turn on the rewrite engine (this is necessary in order for
# the `RewriteRule` directives to work).
# (1) Turn on the rewrite engine (this is necessary in order for the
# `RewriteRule` directives to work).
#
# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
#
# (2) Enable the `FollowSymLinks` option if it isn't already.
#
# https://httpd.apache.org/docs/current/mod/core.html#options
#
# (3) If your web host doesn't allow the `FollowSymlinks` option,
# you need to comment it out or remove it, and then uncomment
# the `Options +SymLinksIfOwnerMatch` line (4), but be aware
# of the performance impact.
# (3) If your web host doesn't allow the `FollowSymlinks` option, you need to
# comment it out or remove it, and then uncomment the
# `Options +SymLinksIfOwnerMatch` line (4), but be aware of the performance
# impact.
#
# https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
#
Expand All @@ -23,9 +23,8 @@
# https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
#
# (5) Depending on how your server is set up, you may also need to
# use the `RewriteOptions` directive to enable some options for
# the rewrite engine.
# (5) Depending on how your server is set up, you may also need to use the
# `RewriteOptions` directive to enable some options for the rewrite engine.
#
# https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions

Expand Down
7 changes: 3 additions & 4 deletions src/rewrites/rewrite_http_to_https.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,9 @@
#
# https://wiki.apache.org/httpd/RewriteHTTPToHTTPS

# (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot
# method it will fail to validate the certificate if validation
# requests are redirected to HTTPS. Turn on the condition(s)
# you need.
# (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot method it
# will fail to validate the certificate if validation requests are
# redirected to HTTPS. Turn on the condition(s) you need.
#
# https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
# https://tools.ietf.org/html/draft-ietf-acme-acme-12
Expand Down
17 changes: 8 additions & 9 deletions src/rewrites/rewrite_nowww.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,21 +4,20 @@

# Rewrite www.example.com → example.com

# The same content should never be available under two different
# URLs, especially not with and without `www.` at the beginning.
# This can cause SEO problems (duplicate content), and therefore,
# you should choose one of the alternatives and redirect the other
# one.
# The same content should never be available under two different URLs,
# especially not with and without `www.` at the beginning.
# This can cause SEO problems (duplicate content), and therefore, you should
# choose one of the alternatives and redirect the other one.
#
# (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!

# (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
# appropriate schema automatically (http or https).
#
# (2) The rule assumes by default that both HTTP and HTTPS
# environments are available for redirection.
# If your SSL certificate could not handle one of the domains
# used during redirection, you should turn the condition on.
# (2) The rule assumes by default that both HTTP and HTTPS environments are
# available for redirection.
# If your SSL certificate could not handle one of the domains used during
# redirection, you should turn the condition on.
#
# https://github.com/h5bp/server-configs-apache/issues/52

Expand Down
17 changes: 8 additions & 9 deletions src/rewrites/rewrite_www.conf
Original file line number Diff line number Diff line change
Expand Up @@ -4,21 +4,20 @@

# Rewrite example.com → www.example.com

# The same content should never be available under two different
# URLs, especially not with and without `www.` at the beginning.
# This can cause SEO problems (duplicate content), and therefore,
# you should choose one of the alternatives and redirect the other
# one.
# The same content should never be available under two different URLs,
# especially not with and without `www.` at the beginning.
# This can cause SEO problems (duplicate content), and therefore, you should
# choose one of the alternatives and redirect the other one.
#
# (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!

# (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
# appropriate schema automatically (http or https).
#
# (2) The rule assumes by default that both HTTP and HTTPS
# environments are available for redirection.
# If your SSL certificate could not handle one of the domains
# used during redirection, you should turn the condition on.
# (2) The rule assumes by default that both HTTP and HTTPS environments are
# available for redirection.
# If your SSL certificate could not handle one of the domains used during
# redirection, you should turn the condition on.
#
# https://github.com/h5bp/server-configs-apache/issues/52

Expand Down
57 changes: 28 additions & 29 deletions src/security/content-security-policy.conf
Original file line number Diff line number Diff line change
Expand Up @@ -5,54 +5,53 @@
# Mitigate the risk of cross-site scripting and other content-injection
# attacks.
#
# This can be done by setting a `Content Security Policy` which
# whitelists trusted sources of content for your website.
# This can be done by setting a `Content Security Policy` which whitelists
# trusted sources of content for your website.
#
# There is no policy that fits all websites, you will have to modify
# the `Content-Security-Policy` directives in the example depending
# on your needs.
# There is no policy that fits all websites, you will have to modify the
# `Content-Security-Policy` directives in the example depending on your needs.
#
# The example policy below aims to:
#
# (1) Restrict all fetches by default to the origin of the current website
# by setting the `default-src` directive to `'self'` - which acts as a
# (1) Restrict all fetches by default to the origin of the current website by
# setting the `default-src` directive to `'self'` - which acts as a
# fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive).
#
# This is convenient as you do not have to specify all Fetch directives
# that apply to your site, for example:
# `connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'`, etc.
#
# This restriction also means that you must explicitly define from
# which site(s) your website is allowed to load resources from.
# This restriction also means that you must explicitly define from which
# site(s) your website is allowed to load resources from.
#
# (2) The `<base>` element is not allowed on the website. This is to
# prevent attackers from changing the locations of resources loaded
# from relative URLs.
# (2) The `<base>` element is not allowed on the website. This is to prevent
# attackers from changing the locations of resources loaded from relative
# URLs.
#
# If you want to use the `<base>` element, then `base-uri 'self'`
# can be used instead.
# If you want to use the `<base>` element, then `base-uri 'self'` can be
# used instead.
#
# (3) Form submissions are only allowed from the current website by
# setting: `form-action 'self'`.
# (3) Form submissions are only allowed from the current website by setting:
# `form-action 'self'`.
#
# (4) Prevents all websites (including your own) from embedding your
# webpages within e.g. the `<iframe>` or `<object>` element by
# setting `frame-ancestors 'none'`.
# (4) Prevents all websites (including your own) from embedding your webpages
# within e.g. the `<iframe>` or `<object>` element by setting:
# `frame-ancestors 'none'`.
#
# The `frame-ancestors` directive helps avoid "Clickjacking" attacks
# and is similar to the `X-Frame-Options` header.
# The `frame-ancestors` directive helps avoid "Clickjacking" attacks and
# is similar to the `X-Frame-Options` header.
#
# Browsers that support the CSP header will ignore `X-Frame-Options`
# if `frame-ancestors` is also specified.
# Browsers that support the CSP header will ignore `X-Frame-Options` if
# `frame-ancestors` is also specified.
#
# (5) Forces the browser to treat all the resources that are served over
# HTTP as if they were loaded securely over HTTPS by setting the
# (5) Forces the browser to treat all the resources that are served over HTTP
# as if they were loaded securely over HTTPS by setting the
# `upgrade-insecure-requests` directive.
#
# Please note that `upgrade-insecure-requests` does not ensure
# HTTPS for the top-level navigation. If you want to force the
# website itself to be loaded over HTTPS you must include the
# `Strict-Transport-Security` header.
# Please note that `upgrade-insecure-requests` does not ensure HTTPS for
# the top-level navigation. If you want to force the website itself to be
# loaded over HTTPS you must include the `Strict-Transport-Security`
# header.
#
# (6) The `Content-Security-Policy` header is included in all responses
# that are able to execute scripting. This includes the commonly used
Expand Down
Loading

0 comments on commit d8553ee

Please sign in to comment.