justinrummel/jr.com-hpstr/master/.htaccess
<IfModule mod_headers.c>
# https://github.com/h5bp/server-configs-apache/blob/master/src/security/strict-transport-security.conf
# Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set Strict-Transport-Security "max-age=15768000; preload"
# http://stopmalvertising.com/security/securing-your-website-with-.htaccess/.htaccess-http-headers.html
Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
# https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
# https://report-uri.io/home/pkp_hash
Header set Public-Key-Pins "pin-sha256="sPN1QkpU0jxkt/e2TpIEDBFfCRxAbQI6O7Klen1NtTs="; pin-sha256="fVZ1UlYWgPZvUe9THLBBeg1pNN7LF4HI373EsQhUAdE="; pin-sha256="5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU="; max-age=2592000;"
# https://scotthelme.co.uk/content-security-policy-an-introduction/
# http://content-security-policy.com/
# Not Safari compatible: upgrade-insecure-requests; block-all-mixed-content;
# Not Safari compatible: child-src 'self' https: disqus.com www.strava.com www.youtube.com player.vimeo.com;
# Header set Content-Security-Policy: "default-src https:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https: *.twitter.com:* *.google-analytics.com ajax.googleapis.com a.disquscdn.com *.disqus.com *.services.disqus.com *.twitter.com cdn.syndication.twimg.com; style-src 'self' data: 'unsafe-inline' https: fonts.googleapis.com assets-cdn.github.com *.twiter.com; img-src 'self' https: referrer.disqus.com *.google-analytics.com a.disquscdn.com *.twiter.com *.twimg.com *.staticflickr.com *.static.flickr.com; font-src 'self' https: fonts.gstatic.com fonts.googleapis.com; connect-src 'self' https: links.services.disqus.com;""
# Header set Content-Security-Policy "default-src https:; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://*.twitter.com:* https://api.adsnative.com/v1/ad.json *.adsafeprotected.com https://cas.criteo.com/delivery/0.1/napi.jsonp *.services.disqus.com:* http://referrer.disqus.com/juggler/ https://disqus.com https://*.disqus.com http://*.twitter.com:* a.disquscdn.com https://cdn.syndication.twimg.com/tweets.json https://*.services.disqus.com:* *.moatads.com https://referrer.disqus.com/juggler/ https://mobile.adnxs.com/mob https://ajax.googleapis.com https://*.google-analytics.com; style-src 'self' data: 'unsafe-inline' https: fonts.googleapis.com assets-cdn.github.com *.twiter.com; img-src 'self' https: referrer.disqus.com *.google-analytics.com a.disquscdn.com *.twiter.com *.twimg.com *.staticflickr.com *.static.flickr.com; font-src 'self' https: fonts.gstatic.com fonts.googleapis.com; connect-src 'self' https: links.services.disqus.com;"
Header set Content-Security-Policy: "default-src 'none'; connect-src https:; font-src https: data:; frame-src https: ; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' data: https:; style-src 'unsafe-inline' https:;"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteBase /
# 404 Error page
ErrorDocument 404 /404.html
# Skip force www for Akamized links
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP_HOST} ^justinrummel.com.edgekey-staging.net$ [NC]
# RewriteRule ^(.*)$ https://justinrummel.com.edgekey-staging.net/$1 [R=301,L]
# Forcing 'www' at the beginning of all urls
RewriteCond %{HTTP_HOST} ^justinrummel.com$ [NC]
RewriteCond %{HTTP_HOST} !^www.justinrummel.com$ [NC]
RewriteRule ^(.*)$ https://www.justinrummel.com/$1 [R=301,L]
# Forcing 'www' at the beginning of all urls
# https://github.com/h5bp/server-configs-apache/blob/master/src/rewrites/rewrite_www.conf
# RewriteCond %{HTTPS} !=on
# RewriteCond %{HTTP_HOST} !.net$ [NC]
# RewriteCond %{HTTP_HOST} !^www. [NC]
# RewriteCond %{SERVER_ADDR} !=127.0.0.1
# RewriteCond %{SERVER_ADDR} !=::1
# RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Forcing HTTPS
# https://github.com/h5bp/server-configs-apache/blob/master/src/rewrites/rewrite_http_to_https.conf
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# Getting rid of 'undefined' at the end of urls. Not sure why there are there... but I see them in the error_log file
RewriteCond %{REQUEST_URI} undefined$
RewriteRule ^(.*)undefined$ $1 [R=301,L]
# Redirecting old "categories" to tags
RewriteRule ^(categories)(/)(.*)(/)$ https://www.justinrummel.com/tags/#$3 [R=301,nc]
# Redirecting anything with /feeds to feedburner
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/$ http://feeds.feedburner.com/jr [R=301,L]
# Redirecting dumb disqus items
RedirectMatch 301 /i-moved-my-domains-to-google-domains/(.*) /i-moved-my-domains-to-google-domains-and-you-wont-believe-what-happened-next/$1
# Redirecting anything with /sitemap.xml.gz to sitemap.xml
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^sitemap.xml.gz$ "sitemap.xml" [R=301,L]
</IfModule>
# https://raw.githubusercontent.com/h5bp/server-configs-apache/master/src/web_performance/compression.conf
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
<IfModule mod_deflate.c>
# Force compression for mangled `Accept-Encoding` request headers
# https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
<IfModule mod_setenvif.c>
<IfModule mod_headers.c>
SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)s*,?s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
</IfModule>
</IfModule>
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Compress all output labeled with one of the following media types.
#
# (!) For Apache versions below version 2.3.7 you don't need to
# enable `mod_filter` and can remove the `<IfModule mod_filter.c>`
# and `</IfModule>` lines as `AddOutputFilterByType` is still in
# the core directives.
#
# https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml"
"application/javascript"
"application/json"
"application/ld+json"
"application/manifest+json"
"application/rdf+xml"
"application/rss+xml"
"application/schema+json"
"application/vnd.geo+json"
"application/vnd.ms-fontobject"
"application/x-font-ttf"
"application/x-javascript"
"application/x-web-app-manifest+json"
"application/xhtml+xml"
"application/xml"
"font/eot"
"font/opentype"
"image/bmp"
"image/svg+xml"
"image/vnd.microsoft.icon"
"image/x-icon"
"text/cache-manifest"
"text/css"
"text/html"
"text/javascript"
"text/plain"
"text/vcard"
"text/vnd.rim.location.xloc"
"text/vtt"
"text/x-component"
"text/x-cross-domain-policy"
"text/xml"
</IfModule>
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Map the following filename extensions to the specified
# encoding type in order to make Apache serve the file types
# with the appropriate `Content-Encoding` response header
# (do note that this will NOT make Apache compress them!).
#
# If these files types would be served without an appropriate
# `Content-Enable` response header, client applications (e.g.:
# browsers) wouldn't know that they first need to uncompress
# the response, and thus, wouldn't be able to understand the
# content.
#
# https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
<IfModule mod_mime.c>
AddEncoding gzip svgz
</IfModule>
</IfModule>
# https://raw.githubusercontent.com/h5bp/server-configs-apache/master/src/web_performance/expires_headers.conf
# ----------------------------------------------------------------------
# | Expires headers |
# ----------------------------------------------------------------------
# Serve resources with far-future expires headers.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://httpd.apache.org/docs/current/mod/mod_expires.html
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
# CSS
ExpiresByType text/css "access plus 1 year"
# Data interchange
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
# Favicon (cannot be renamed!) and cursor images
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
# HTML
ExpiresByType text/html "access plus 0 seconds"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
# Manifest files
ExpiresByType application/manifest+json "access plus 1 year"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
# Media files
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
# Web fonts
# Embedded OpenType (EOT)
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType font/eot "access plus 1 month"
# OpenType
ExpiresByType font/opentype "access plus 1 month"
# TrueType
ExpiresByType application/x-font-ttf "access plus 1 month"
# Web Open Font Format (WOFF) 1.0
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"
# Web Open Font Format (WOFF) 2.0
ExpiresByType application/font-woff2 "access plus 1 month"
# Other
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
</IfModule>
On Github License
Files