From 23bb5f347ff95858dfd632f29266c541914b985d Mon Sep 17 00:00:00 2001 From: Jonas Smedegaard Date: Tue, 11 Oct 2011 04:40:01 +0200 Subject: Strip irrelevant and risky parts of html5 snippet. --- apache2/conf.d/local-html5.conf | 281 ---------------------------------------- 1 file changed, 281 deletions(-) diff --git a/apache2/conf.d/local-html5.conf b/apache2/conf.d/local-html5.conf index 3007b14..204473e 100644 --- a/apache2/conf.d/local-html5.conf +++ b/apache2/conf.d/local-html5.conf @@ -34,36 +34,6 @@ -# ---------------------------------------------------------------------- -# Cross-domain AJAX requests -# ---------------------------------------------------------------------- - -# Serve cross-domain ajax requests, disabled. -# enable-cors.org -# code.google.com/p/html5security/wiki/CrossOriginRequestSecurity - -# -# Header set Access-Control-Allow-Origin "*" -# - - - -# ---------------------------------------------------------------------- -# Webfont access -# ---------------------------------------------------------------------- - -# Allow access from all domains for webfonts. -# Alternatively you could only whitelist your -# subdomains like "subdomain.example.com". - - - - Header set Access-Control-Allow-Origin "*" - - - - - # ---------------------------------------------------------------------- # Proper MIME type for all files # ---------------------------------------------------------------------- @@ -107,32 +77,6 @@ AddType text/x-vcard vcf -# ---------------------------------------------------------------------- -# Allow concatenation from within specific js and css files -# ---------------------------------------------------------------------- - -# e.g. Inside of script.combined.js you could have -# -# -# and they would be included into this single file. - -# This is not in use in the boilerplate as it stands. You may -# choose to name your files in this way for this advantage or -# concatenate and minify them manually. -# Disabled by default. - -# -# Options +Includes -# AddOutputFilterByType INCLUDES application/javascript application/json -# SetOutputFilter INCLUDES -# -# -# Options +Includes -# AddOutputFilterByType INCLUDES text/css -# SetOutputFilter INCLUDES -# - - # ---------------------------------------------------------------------- # Gzip compression # ---------------------------------------------------------------------- @@ -279,228 +223,3 @@ FileETag None # BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1 # BrowserMatch "Opera" !brokenvary # SetEnvIf brokenvary 1 force-no-vary - - - -# ---------------------------------------------------------------------- -# Cookie setting from iframes -# ---------------------------------------------------------------------- - -# Allow cookies to be set from iframes (for IE only) -# If needed, uncomment and specify a path or regex in the Location directive - -# -# -# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"" -# -# - - - -# ---------------------------------------------------------------------- -# Start rewrite engine -# ---------------------------------------------------------------------- - -# Turning on the rewrite engine is necessary for the following rules and features. -# FollowSymLinks must be enabled for this to work. - - - Options +FollowSymlinks - RewriteEngine On - - - - -# ---------------------------------------------------------------------- -# Suppress or force the "www." at the beginning of URLs -# ---------------------------------------------------------------------- - -# The same content should never be available under two different URLs - especially not with and -# without "www." at the beginning, since this can cause SEO problems (duplicate content). -# That's why you should choose one of the alternatives and redirect the other one. - -# By default option 1 (no "www.") is activated. Remember: Shorter URLs are sexier. -# no-www.org/faq.php?q=class_b - -# If you rather want to use option 2, just comment out all option 1 lines -# and uncomment option 2. -# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME! - -# ---------------------------------------------------------------------- - -# Option 1: -# Rewrite "www.example.com -> example.com" - - - RewriteCond %{HTTPS} !=on - RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] - RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L] - - -# ---------------------------------------------------------------------- - -# Option 2: -# To rewrite "example.com -> www.example.com" uncomment the following lines. -# Be aware that the following rule might not be a good idea if you -# use "real" subdomains for certain parts of your website. - -# -# RewriteCond %{HTTPS} !=on -# RewriteCond %{HTTP_HOST} !^www\..+$ [NC] -# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] -# - - - -# ---------------------------------------------------------------------- -# Built-in filename-based cache busting -# ---------------------------------------------------------------------- - -# If you're not using the build script to manage your filename version revving, -# you might want to consider enabling this, which will route requests for -# /css/style.20110203.css to /css/style.css - -# To understand why this is important and a better idea than all.css?v1231, -# read: github.com/paulirish/html5-boilerplate/wiki/Version-Control-with-Cachebusting - -# Uncomment to enable. -# -# RewriteCond %{REQUEST_FILENAME} !-f -# RewriteCond %{REQUEST_FILENAME} !-d -# RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L] -# - - - -# ---------------------------------------------------------------------- -# Prevent SSL cert warnings -# ---------------------------------------------------------------------- - -# Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent -# https://www.example.com when your cert only allows https://secure.example.com -# Uncomment the following lines to use this feature. - -# -# RewriteCond %{SERVER_PORT} !^443 -# RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L] -# - - - -# ---------------------------------------------------------------------- -# Prevent 404 errors for non-existing redirected folders -# ---------------------------------------------------------------------- - -# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist -# e.g. /blog/hello : webmasterworld.com/apache/3808792.htm - -Options -MultiViews - - - -# ---------------------------------------------------------------------- -# Custom 404 page -# ---------------------------------------------------------------------- - -# You can add custom pages to handle 500 or 403 pretty easily, if you like. -ErrorDocument 404 /404.html - - - -# ---------------------------------------------------------------------- -# UTF-8 encoding -# ---------------------------------------------------------------------- - -# Use UTF-8 encoding for anything served text/plain or text/html -AddDefaultCharset utf-8 - -# Force UTF-8 for a number of file formats -AddCharset utf-8 .html .css .js .xml .json .rss .atom - - - -# ---------------------------------------------------------------------- -# A little more security -# ---------------------------------------------------------------------- - - -# Do we want to advertise the exact version number of Apache we're running? -# Probably not. -## This can only be enabled if used in httpd.conf - It will not work in .htaccess -# ServerTokens Prod - - -# "-Indexes" will have Apache block users from browsing folders without a default document -# Usually you should leave this activated, because you shouldn't allow everybody to surf through -# every folder on your server (which includes rather private places like CMS system folders). - - Options -Indexes - - - -# Block access to "hidden" directories whose names begin with a period. This -# includes directories used by version control systems such as Subversion or Git. - - RewriteRule "(^|/)\." - [F] - - - -# If your server is not already configured as such, the following directive -# should be uncommented in order to set PHP's register_globals option to OFF. -# This closes a major security hole that is abused by most XSS (cross-site -# scripting) attacks. For more information: http://php.net/register_globals -# -# IF REGISTER_GLOBALS DIRECTIVE CAUSES 500 INTERNAL SERVER ERRORS : -# -# Your server does not allow PHP directives to be set via .htaccess. In that -# case you must make this change in your php.ini file instead. If you are -# using a commercial web host, contact the administrators for assistance in -# doing this. Not all servers allow local php.ini files, and they should -# include all PHP configurations (not just this one), or you will effectively -# reset everything to PHP defaults. Consult www.php.net for more detailed -# information about setting PHP directives. - -# php_flag register_globals Off - -# Rename session cookie to something else, than PHPSESSID -# php_value session.name sid - -# Do not show you are using PHP -# Note: Move this line to php.ini since it won't work in .htaccess -# php_flag expose_php Off - -# Level of log detail - log all errors -# php_value error_reporting -1 - -# Write errors to log file -# php_flag log_errors On - -# Do not display errors in browser (production - Off, development - On) -# php_flag display_errors Off - -# Do not display startup errors (production - Off, development - On) -# php_flag display_startup_errors Off - -# Format errors in plain text -# Note: Leave this setting 'On' for xdebug's var_dump() output -# php_flag html_errors Off - -# Show multiple occurrence of error -# php_flag ignore_repeated_errors Off - -# Show same errors from different sources -# php_flag ignore_repeated_source Off - -# Size limit for error messages -# php_value log_errors_max_len 1024 - -# Don't precede error with string (doesn't accept empty string, use whitespace if you need) -# php_value error_prepend_string " " - -# Don't prepend to error (doesn't accept empty string, use whitespace if you need) -# php_value error_append_string " " - -# Increase cookie security - - php_value session.cookie_httponly true - -- cgit v1.2.3