Gitiles
Code Review Sign In
gerrit.nordix.org / onap / portal / c2dfca4b1ca4cecd7595b4a5618d89fd44093a13 / . / ecomp-portal-FE-os / client / .htaccess
blob: cb84cb918f7ce1daadb9ec341fde07e38368f252 [file] [log] [blame]
talasila4ad39a52017-02-07 15:03:57 -0500[diff] [blame]1# Apache Configuration File
2
3# (!) Using `.htaccess` files slows down Apache, therefore, if you have access
4# to the main server config file (usually called `httpd.conf`), you should add
5# this logic there: http://httpd.apache.org/docs/current/howto/htaccess.html.
6
7# ##############################################################################
8# # CROSS-ORIGIN RESOURCE SHARING (CORS) #
9# ##############################################################################
10
11# ------------------------------------------------------------------------------
12# | Cross-domain AJAX requests |
13# ------------------------------------------------------------------------------
14
15# Enable cross-origin AJAX requests.
16# http://code.google.com/p/html5security/wiki/CrossOriginRequestSecurity
17# http://enable-cors.org/
18
19# <IfModule mod_headers.c>
20# Header set Access-Control-Allow-Origin "*"
21# </IfModule>
22
23# ------------------------------------------------------------------------------
24# | CORS-enabled images |
25# ------------------------------------------------------------------------------
26
27# Send the CORS header for images when browsers request it.
28# https://developer.mozilla.org/en/CORS_Enabled_Image
29# http://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
30# http://hacks.mozilla.org/2011/11/using-cors-to-load-webgl-textures-from-cross-domain-images/
31
32<IfModule mod_setenvif.c>
33 <IfModule mod_headers.c>
34 <FilesMatch "\.(gif|ico|jpe?g|png|svg|svgz|webp)$">
35 SetEnvIf Origin ":" IS_CORS
36 Header set Access-Control-Allow-Origin "*" env=IS_CORS
37 </FilesMatch>
38 </IfModule>
39</IfModule>
40
41# ------------------------------------------------------------------------------
42# | Web fonts access |
43# ------------------------------------------------------------------------------
44
45# Allow access from all domains for web fonts
46
47<IfModule mod_headers.c>
48 <FilesMatch "\.(eot|font.css|otf|ttc|ttf|woff)$">
49 Header set Access-Control-Allow-Origin "*"
50 </FilesMatch>
51</IfModule>
52
53
54# ##############################################################################
55# # ERRORS #
56# ##############################################################################
57
58# ------------------------------------------------------------------------------
59# | 404 error prevention for non-existing redirected folders |
60# ------------------------------------------------------------------------------
61
62# Prevent Apache from returning a 404 error for a rewrite if a directory
63# with the same name does not exist.
64# http://httpd.apache.org/docs/current/content-negotiation.html#multiviews
65# http://www.webmasterworld.com/apache/3808792.htm
66
67Options -MultiViews
68
69# ------------------------------------------------------------------------------
70# | Custom error messages / pages |
71# ------------------------------------------------------------------------------
72
73# You can customize what Apache returns to the client in case of an error (see
74# http://httpd.apache.org/docs/current/mod/core.html#errordocument), e.g.:
75
76ErrorDocument 404 /404.html
77
78
79# ##############################################################################
80# # INTERNET EXPLORER #
81# ##############################################################################
82
83# ------------------------------------------------------------------------------
84# | Better website experience |
85# ------------------------------------------------------------------------------
86
87# Force IE to render pages in the highest available mode in the various
88# cases when it may not: http://hsivonen.iki.fi/doctype/ie-mode.pdf.
89
90<IfModule mod_headers.c>
91 Header set X-UA-Compatible "IE=edge"
92 # `mod_headers` can't match based on the content-type, however, we only
93 # want to send this header for HTML pages and not for the other resources
94 <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svg|svgz|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
95 Header unset X-UA-Compatible
96 </FilesMatch>
97</IfModule>
98
99# ------------------------------------------------------------------------------
100# | Cookie setting from iframes |
101# ------------------------------------------------------------------------------
102
103# Allow cookies to be set from iframes in IE.
104
105# <IfModule mod_headers.c>
106# Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
107# </IfModule>
108
109# ------------------------------------------------------------------------------
110# | Screen flicker |
111# ------------------------------------------------------------------------------
112
113# Stop screen flicker in IE on CSS rollovers (this only works in
114# combination with the `ExpiresByType` directives for images from below).
115
116# BrowserMatch "MSIE" brokenvary=1
117# BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
118# BrowserMatch "Opera" !brokenvary
119# SetEnvIf brokenvary 1 force-no-vary
120
121
122# ##############################################################################
123# # MIME TYPES AND ENCODING #
124# ##############################################################################
125
126# ------------------------------------------------------------------------------
127# | Proper MIME types for all files |
128# ------------------------------------------------------------------------------
129
130<IfModule mod_mime.c>
131
132 # Audio
133 AddType audio/mp4 m4a f4a f4b
134 AddType audio/ogg oga ogg
135
136 # JavaScript
137 # Normalize to standard type (it's sniffed in IE anyways):
138 # http://tools.ietf.org/html/rfc4329#section-7.2
139 AddType application/javascript js jsonp
140 AddType application/json json
141
142 # Video
143 AddType video/mp4 mp4 m4v f4v f4p
144 AddType video/ogg ogv
145 AddType video/webm webm
146 AddType video/x-flv flv
147
148 # Web fonts
149 AddType application/font-woff woff
150 AddType application/vnd.ms-fontobject eot
151
152 # Browsers usually ignore the font MIME types and sniff the content,
153 # however, Chrome shows a warning if other MIME types are used for the
154 # following fonts.
155 AddType application/x-font-ttf ttc ttf
156 AddType font/opentype otf
157
158 # Make SVGZ fonts work on iPad:
159 # https://twitter.com/FontSquirrel/status/14855840545
160 AddType image/svg+xml svg svgz
161 AddEncoding gzip svgz
162
163 # Other
164 AddType application/octet-stream safariextz
165 AddType application/x-chrome-extension crx
166 AddType application/x-opera-extension oex
167 AddType application/x-shockwave-flash swf
168 AddType application/x-web-app-manifest+json webapp
169 AddType application/x-xpinstall xpi
170 AddType application/xml atom rdf rss xml
171 AddType image/webp webp
172 AddType image/x-icon ico
173 AddType text/cache-manifest appcache manifest
174 AddType text/vtt vtt
175 AddType text/x-component htc
176 AddType text/x-vcard vcf
177
178</IfModule>
179
180# ------------------------------------------------------------------------------
181# | UTF-8 encoding |
182# ------------------------------------------------------------------------------
183
184# Use UTF-8 encoding for anything served as `text/html` or `text/plain`.
185AddDefaultCharset utf-8
186
187# Force UTF-8 for certain file formats.
188<IfModule mod_mime.c>
189 AddCharset utf-8 .atom .css .js .json .rss .vtt .webapp .xml
190</IfModule>
191
192
193# ##############################################################################
194# # URL REWRITES #
195# ##############################################################################
196
197# ------------------------------------------------------------------------------
198# | Rewrite engine |
199# ------------------------------------------------------------------------------
200
201# Turning on the rewrite engine and enabling the `FollowSymLinks` option is
202# necessary for the following directives to work.
203
204# If your web host doesn't allow the `FollowSymlinks` option, you may need to
205# comment it out and use `Options +SymLinksIfOwnerMatch` but, be aware of the
206# performance impact: http://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
207
208# Also, some cloud hosting services require `RewriteBase` to be set:
209# http://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-mod-rewrite-not-working-on-my-site
210
211<IfModule mod_rewrite.c>
212 Options +FollowSymlinks
213 # Options +SymLinksIfOwnerMatch
214 RewriteEngine On
215 # RewriteBase /
216</IfModule>
217
218# ------------------------------------------------------------------------------
219# | Suppressing / Forcing the "www." at the beginning of URLs |
220# ------------------------------------------------------------------------------
221
222# The same content should never be available under two different URLs especially
223# not with and without "www." at the beginning. This can cause SEO problems
224# (duplicate content), therefore, you should choose one of the alternatives and
225# redirect the other one.
226
227# By default option 1 (no "www.") is activated:
228# http://no-www.org/faq.php?q=class_b
229
230# If you'd prefer to use option 2, just comment out all the lines from option 1
231# and uncomment the ones from option 2.
232
233# IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
234
235# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
236
237# Option 1: rewrite www.example.com → example.com
238
239<IfModule mod_rewrite.c>
240 RewriteCond %{HTTPS} !=on
241 RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
242 RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
243</IfModule>
244
245# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
246
247# Option 2: rewrite example.com → www.example.com
248
249# Be aware that the following might not be a good idea if you use "real"
250# subdomains for certain parts of your website.
251
252# <IfModule mod_rewrite.c>
253# RewriteCond %{HTTPS} !=on
254# RewriteCond %{HTTP_HOST} !^www\..+$ [NC]
255# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
256# </IfModule>
257
258
259# ##############################################################################
260# # SECURITY #
261# ##############################################################################
262
263# ------------------------------------------------------------------------------
264# | Content Security Policy (CSP) |
265# ------------------------------------------------------------------------------
266
267# You can mitigate the risk of cross-site scripting and other content-injection
268# attacks by setting a Content Security Policy which whitelists trusted sources
269# of content for your site.
270
271# The example header below allows ONLY scripts that are loaded from the current
272# site's origin (no inline scripts, no CDN, etc). This almost certainly won't
273# work as-is for your site!
274
275# To get all the details you'll need to craft a reasonable policy for your site,
276# read: http://html5rocks.com/en/tutorials/security/content-security-policy (or
277# see the specification: http://w3.org/TR/CSP).
278
279# <IfModule mod_headers.c>
280# Header set Content-Security-Policy "script-src 'self'; object-src 'self'"
281# <FilesMatch "\.(appcache|crx|css|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svg|svgz|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
282# Header unset Content-Security-Policy
283# </FilesMatch>
284# </IfModule>
285
286# ------------------------------------------------------------------------------
287# | File access |
288# ------------------------------------------------------------------------------
289
290# Block access to directories without a default document.
291# Usually you should leave this uncommented because you shouldn't allow anyone
292# to surf through every directory on your server (which may includes rather
293# private places like the CMS's directories).
294
295<IfModule mod_autoindex.c>
296 Options -Indexes
297</IfModule>
298
299# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
300
301# Block access to hidden files and directories.
302# This includes directories used by version control systems such as Git and SVN.
303
304<IfModule mod_rewrite.c>
305 RewriteCond %{SCRIPT_FILENAME} -d [OR]
306 RewriteCond %{SCRIPT_FILENAME} -f
307 RewriteRule "(^|/)\." - [F]
308</IfModule>
309
310# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
311
312# Block access to backup and source files.
313# These files may be left by some text editors and can pose a great security
314# danger when anyone has access to them.
315
316<FilesMatch "(^#.*#|\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
317 Order allow,deny
318 Deny from all
319 Satisfy All
320</FilesMatch>
321
322# ------------------------------------------------------------------------------
323# | Secure Sockets Layer (SSL) |
324# ------------------------------------------------------------------------------
325
326# Rewrite secure requests properly to prevent SSL certificate warnings, e.g.:
327# prevent `https://www.example.com` when your certificate only allows
328# `https://secure.example.com`.
329
330# <IfModule mod_rewrite.c>
331# RewriteCond %{SERVER_PORT} !^443
332# RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
333# </IfModule>
334
335# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
336
337# Force client-side SSL redirection.
338
339# If a user types "example.com" in his browser, the above rule will redirect him
340# to the secure version of the site. That still leaves a window of opportunity
341# (the initial HTTP connection) for an attacker to downgrade or redirect the
342# request. The following header ensures that browser will ONLY connect to your
343# server via HTTPS, regardless of what the users type in the address bar.
344# http://www.html5rocks.com/en/tutorials/security/transport-layer-security/
345
346# <IfModule mod_headers.c>
347# Header set Strict-Transport-Security max-age=16070400;
348# </IfModule>
349
350# ------------------------------------------------------------------------------
351# | Server software information |
352# ------------------------------------------------------------------------------
353
354# Avoid displaying the exact Apache version number, the description of the
355# generic OS-type and the information about Apache's compiled-in modules.
356
357# ADD THIS DIRECTIVE IN THE `httpd.conf` AS IT WILL NOT WORK IN THE `.htaccess`!
358
359# ServerTokens Prod
360
361
362# ##############################################################################
363# # WEB PERFORMANCE #
364# ##############################################################################
365
366# ------------------------------------------------------------------------------
367# | Compression |
368# ------------------------------------------------------------------------------
369
370<IfModule mod_deflate.c>
371
372 # Force compression for mangled headers.
373 # http://developer.yahoo.com/blogs/ydn/posts/2010/12/pushing-beyond-gzipping
374 <IfModule mod_setenvif.c>
375 <IfModule mod_headers.c>
376 SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
377 RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
378 </IfModule>
379 </IfModule>
380
381 # Compress all output labeled with one of the following MIME-types
382 # (for Apache versions below 2.3.7, you don't need to enable `mod_filter`
383 # and can remove the `<IfModule mod_filter.c>` and `</IfModule>` lines
384 # as `AddOutputFilterByType` is still in the core directives).
385 <IfModule mod_filter.c>
386 AddOutputFilterByType DEFLATE application/atom+xml \
387 application/javascript \
388 application/json \
389 application/rss+xml \
390 application/vnd.ms-fontobject \
391 application/x-font-ttf \
392 application/x-web-app-manifest+json \
393 application/xhtml+xml \
394 application/xml \
395 font/opentype \
396 image/svg+xml \
397 image/x-icon \
398 text/css \
399 text/html \
400 text/plain \
401 text/x-component \
402 text/xml
403 </IfModule>
404
405</IfModule>
406
407# ------------------------------------------------------------------------------
408# | Content transformations |
409# ------------------------------------------------------------------------------
410
411# Prevent some of the mobile network providers from modifying the content of
412# your site: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5.
413
414# <IfModule mod_headers.c>
415# Header set Cache-Control "no-transform"
416# </IfModule>
417
418# ------------------------------------------------------------------------------
419# | ETag removal |
420# ------------------------------------------------------------------------------
421
422# Since we're sending far-future expires headers (see below), ETags can
423# be removed: http://developer.yahoo.com/performance/rules.html#etags.
424
425# `FileETag None` is not enough for every server.
426<IfModule mod_headers.c>
427 Header unset ETag
428</IfModule>
429
430FileETag None
431
432# ------------------------------------------------------------------------------
433# | Expires headers (for better cache control) |
434# ------------------------------------------------------------------------------
435
436# The following expires headers are set pretty far in the future. If you don't
437# control versioning with filename-based cache busting, consider lowering the
438# cache time for resources like CSS and JS to something like 1 week.
439
440<IfModule mod_expires.c>
441
442 ExpiresActive on
443 ExpiresDefault "access plus 1 month"
444
445 # CSS
446 ExpiresByType text/css "access plus 1 year"
447
448 # Data interchange
449 ExpiresByType application/json "access plus 0 seconds"
450 ExpiresByType application/xml "access plus 0 seconds"
451 ExpiresByType text/xml "access plus 0 seconds"
452
453 # Favicon (cannot be renamed!)
454 ExpiresByType image/x-icon "access plus 1 week"
455
456 # HTML components (HTCs)
457 ExpiresByType text/x-component "access plus 1 month"
458
459 # HTML
460 ExpiresByType text/html "access plus 0 seconds"
461
462 # JavaScript
463 ExpiresByType application/javascript "access plus 1 year"
464
465 # Manifest files
466 ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
467 ExpiresByType text/cache-manifest "access plus 0 seconds"
468
469 # Media
470 ExpiresByType audio/ogg "access plus 1 month"
471 ExpiresByType image/gif "access plus 1 month"
472 ExpiresByType image/jpeg "access plus 1 month"
473 ExpiresByType image/png "access plus 1 month"
474 ExpiresByType video/mp4 "access plus 1 month"
475 ExpiresByType video/ogg "access plus 1 month"
476 ExpiresByType video/webm "access plus 1 month"
477
478 # Web feeds
479 ExpiresByType application/atom+xml "access plus 1 hour"
480 ExpiresByType application/rss+xml "access plus 1 hour"
481
482 # Web fonts
483 ExpiresByType application/font-woff "access plus 1 month"
484 ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
485 ExpiresByType application/x-font-ttf "access plus 1 month"
486 ExpiresByType font/opentype "access plus 1 month"
487 ExpiresByType image/svg+xml "access plus 1 month"
488
489</IfModule>
490
491# ------------------------------------------------------------------------------
492# | Filename-based cache busting |
493# ------------------------------------------------------------------------------
494
495# If you're not using a build process to manage your filename version revving,
496# you might want to consider enabling the following directives to route all
497# requests such as `/css/style.12345.css` to `/css/style.css`.
498
499# To understand why this is important and a better idea than `*.css?v231`, read:
500# http://stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring
501
502# <IfModule mod_rewrite.c>
503# RewriteCond %{REQUEST_FILENAME} !-f
504# RewriteCond %{REQUEST_FILENAME} !-d
505# RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L]
506# </IfModule>
507
508# ------------------------------------------------------------------------------
509# | File concatenation |
510# ------------------------------------------------------------------------------
511
512# Allow concatenation from within specific CSS and JS files, e.g.:
513# Inside of `script.combined.js` you could have
514# <!--#include file="libs/jquery.js" -->
515# <!--#include file="plugins/jquery.idletimer.js" -->
516# and they would be included into this single file.
517
518# <IfModule mod_include.c>
519# <FilesMatch "\.combined\.js$">
520# Options +Includes
521# AddOutputFilterByType INCLUDES application/javascript application/json
522# SetOutputFilter INCLUDES
523# </FilesMatch>
524# <FilesMatch "\.combined\.css$">
525# Options +Includes
526# AddOutputFilterByType INCLUDES text/css
527# SetOutputFilter INCLUDES
528# </FilesMatch>
529# </IfModule>
530
531# ------------------------------------------------------------------------------
532# | Persistent connections |
533# ------------------------------------------------------------------------------
534
535# Allow multiple requests to be sent over the same TCP connection:
536# http://httpd.apache.org/docs/current/en/mod/core.html#keepalive.
537
538# Enable if you serve a lot of static content but, be aware of the
539# possible disadvantages!
540
541# <IfModule mod_headers.c>
542# Header set Connection Keep-Alive
543# </IfModule>