From 3b3be820e92d5b0e8a1e111ca7661edfb66caa1f Mon Sep 17 00:00:00 2001 From: NorbiPeti Date: Mon, 13 May 2019 13:45:10 +0200 Subject: [PATCH] Added header... --- dist/.htaccess | 152 +++++++++--------- ...ENSE.txt => HTML5-Boilerplate-LICENSE.txt} | 0 dist/index.html | 35 +++- src/index.html | 35 +++- 4 files changed, 141 insertions(+), 81 deletions(-) rename dist/{LICENSE.txt => HTML5-Boilerplate-LICENSE.txt} (100%) diff --git a/dist/.htaccess b/dist/.htaccess index c34ea25..2a2bacf 100644 --- a/dist/.htaccess +++ b/dist/.htaccess @@ -1,4 +1,4 @@ -# Apache Server Configs v3.1.0 | MIT License +# Apache Server Configs v3.2.1 | MIT License # https://github.com/h5bp/server-configs-apache # (!) Using `.htaccess` files slows down Apache, therefore, if you have @@ -126,17 +126,7 @@ Options -MultiViews # https://msdn.microsoft.com/en-us/library/ff955275.aspx - - Header set X-UA-Compatible "IE=edge" - - # `mod_headers` cannot match based on the content-type, however, - # the `X-UA-Compatible` response header should be sent only for - # HTML documents and not for the other resources. - - - Header unset X-UA-Compatible - - + Header set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i" # ###################################################################### @@ -160,8 +150,9 @@ Options -MultiViews AddType application/json json map topojson AddType application/ld+json jsonld AddType application/rss+xml rss - AddType application/vnd.geo+json geojson - AddType application/xml rdf xml + AddType application/geo+json geojson + AddType application/rdf+xml rdf + AddType application/xml xml # JavaScript @@ -248,26 +239,24 @@ AddDefaultCharset utf-8 # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset - AddCharset utf-8 .atom \ + AddCharset utf-8 .appcache \ .bbaw \ .css \ - .geojson \ + .htc \ .ics \ .js \ .json \ - .jsonld \ .manifest \ + .map \ .markdown \ .md \ .mjs \ - .rdf \ - .rss \ .topojson \ .vtt \ - .webapp \ + .vcard \ + .vcf \ .webmanifest \ - .xloc \ - .xml + .xloc # ###################################################################### @@ -462,17 +451,7 @@ AddDefaultCharset utf-8 # https://www.owasp.org/index.php/Clickjacking # - -# Header set X-Frame-Options "DENY" - -# # `mod_headers` cannot match based on the content-type, however, -# # the `X-Frame-Options` response header should be sent only for -# # HTML documents and not for the other resources. - -# -# Header unset X-Frame-Options -# - +# Header set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i" # # ---------------------------------------------------------------------- @@ -485,30 +464,68 @@ AddDefaultCharset utf-8 # This can be done by setting a `Content Security Policy` which # whitelists trusted sources of content for your website. # -# The example header below allows ONLY scripts that are loaded from -# the current website's origin (no inline scripts, no CDN, etc). -# That almost certainly won't work as-is for your website! +# There is no policy that fits all websites, you will have to modify +# the `Content-Security-Policy` directives in the example below depending +# on your needs. # -# To make things easier, you can use an online CSP header generator -# such as: https://www.cspisawesome.com/. +# The example policy below aims to: # +# (1) Restrict all fetches by default to the origin of the current website +# by setting the `default-src` directive to `'self'` - which acts as a +# fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive). +# +# This is convenient as you do not have to specify all Fetch directives +# that apply to your site, for example: +# `connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'`, etc. +# +# This restriction also means that you must explicitly define from +# which site(s) your website is allowed to load resources from. +# +# (2) The `` element is not allowed on the website. This is to +# prevent attackers from changing the locations of resources loaded +# from relative URLs. +# +# If you want to use the `` element, then `base-uri 'self'` +# can be used instead. +# +# (3) Form submissions are only allowed from the current website by +# setting: `form-action 'self'`. +# +# (4) Prevents all websites (including your own) from embedding your +# webpages within e.g. the `