# Send everythign as UTF-8 by default
AddDefaultCharset utf-8
# Set 404 Error fallback page
ErrorDocument 404 /404.html
# Disable the pattern matching based on filenames.
#
# This setting prevents Apache from returning a 404 error as the result
# of a rewrite when the directory with the same name does not exist.
Options -MultiViews
# Prevent Apache from adding a trailing footer line containing
# information about the server to the server-generated documents
# (e.g.: error messages, directory listings, etc.)
ServerSignature Off
# Remove `ETags` as resources are sent with far-future expires headers
FileETag None
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
# Serve correct encoding type for zopfli files
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
# Serve correct encoding type for brotli files
Header set Content-Encoding br
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
# Set Content Security Policy options
Header set Content-Security-Policy "default-src 'self'; img-src 'self' *.github.com; connect-src 'self' api.asciidisco.com; require-sri-for script style; block-all-mixed-content; frame-ancestors 'self'; form-action 'self'; sandbox allow-same-origin allow-scripts; base-uri 'self';"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
# Set Referrer Policy header
Header set Referrer-Policy same-origin
# Detect WebP support with Header Vary Accept
Header append Vary Accept env=REDIRECT_accept
# Prevent some browsers from MIME-sniffing the response.
#
# This reduces exposure to drive-by download attacks and cross-origin
# data leaks, and should be left uncommented, especially if the server
# is serving user-uploaded content or content that could potentially be
# treated as executable by the browser.
Header set X-Content-Type-Options "nosniff"
# Prevent intermediate caches or proxies (e.g.: such as the ones
# used by mobile network providers) from modifying the website's content.
Header merge Cache-Control "no-transform"
# Enable HSTS
Header set Strict-Transport-Security "max-age=63072000"
# Protect website against clickjacking.
#
# The example below sends the `X-Frame-Options` response header with
# the value `DENY`, informing browsers not to display the content of
# the web page in any frame.
Header set X-Frame-Options "DENY"
# Try to re-enable the cross-site scripting (XSS) filter built into most web browsers.
Header set X-XSS-Protection "1; mode=block"
# Remove `ETags` and `Last-Modified` as resources are sent with far-future expires headers.
Header unset ETag
Header unset Last-Modified
# Remove server type header
Header unset X-Powered-By
# Set language header
Header set Content-Language en-GB
# Unset X-FRAME-OPTIONS, X-XSS-Protection and Content-Security-Policy for everything but html
Header unset X-Frame-Options
Header unset X-XSS-Protection
Header unset Content-Security-Policy
# HTTP/2 PUSH Maps
{{{PUSH_MANIFEST}}}
# Data interchange
AddType application/atom+xml atom
AddType application/json json map topojson
AddType application/ld+json jsonld
AddType application/rss+xml rss
AddType application/vnd.geo+json geojson
AddType application/xml rdf xml
# JavaScript
AddType application/javascript js mjs
# Manifest files
AddType application/manifest+json webmanifest
AddType application/x-web-app-manifest+json webapp
AddType text/cache-manifest appcache
# Media files
AddType audio/mp4 f4a f4b m4a
AddType audio/ogg oga ogg opus
AddType image/bmp bmp
AddType image/svg+xml svg svgz
AddType image/webp webp
AddType video/mp4 f4v f4p m4v mp4
AddType video/ogg ogv
AddType video/webm webm
AddType video/x-flv flv
AddType image/x-icon cur ico
# Web fonts
AddType font/woff woff
AddType font/woff2 woff2
AddType application/vnd.ms-fontobject eot
AddType font/ttf ttf
AddType font/collection ttc
AddType font/otf otf
# Other
AddType application/octet-stream safariextz
AddType application/x-bb-appworld bbaw
AddType application/x-chrome-extension crx
AddType application/x-opera-extension oex
AddType application/x-xpinstall xpi
AddType text/calendar ics
AddType text/markdown markdown md
AddType text/vcard vcard vcf
AddType text/vnd.rim.location.xloc xloc
AddType text/vtt vtt
AddType text/x-component htc
AddType image/webp webp
# Send text resources as UTF-8 by default
AddCharset utf-8 .atom \
.bbaw \
.css \
.geojson \
.ics \
.js \
.json \
.jsonld \
.manifest \
.markdown \
.md \
.mjs \
.rdf \
.rss \
.topojson \
.vtt \
.webapp \
.webmanifest \
.xloc \
.xml
# Serve brotli/zopfli compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} br
RewriteCond %{REQUEST_FILENAME}\.br -s
RewriteRule ^(.*)\.css $1\.css\.br [QSA]
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve brotli/zopfli compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} br
RewriteCond %{REQUEST_FILENAME}\.br -s
RewriteRule ^(.*)\.js $1\.js\.br [QSA]
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve brotli/zopfli compressed SVG files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} br
RewriteCond %{REQUEST_FILENAME}\.br -s
RewriteRule ^(.*)\.svg $1\.svg\.br [QSA]
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.svg $1\.svg\.gz [QSA]
# Serve brotli/zopfli compressed SVG files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} br
RewriteCond %{REQUEST_FILENAME}\.br -s
RewriteRule ^(.*)\.html $1\.html\.br [QSA]
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.html $1\.html\.gz [QSA]
# Serve brotli/zopfli compressed JSON files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} br
RewriteCond %{REQUEST_FILENAME}\.br -s
RewriteRule ^(.*)\.json $1\.json\.br [QSA]
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.json $1\.json\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.css\.br$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
RewriteRule \.js\.br$ - [T=text/javascript,E=no-gzip:1]
RewriteRule \.svg\.gz$ - [T=image/svg+xml,E=no-gzip:1]
RewriteRule \.svg\.br$ - [T=image/svg+xml,E=no-gzip:1]
RewriteRule \.html\.gz$ - [T=text/html,E=no-gzip:1]
RewriteRule \.html\.br$ - [T=text/html,E=no-gzip:1]
RewriteRule \.json\.gz$ - [T=application/json,E=no-gzip:1]
RewriteRule \.json\.br$ - [T=application/json,E=no-gzip:1]
# Force redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Check if browser support WebP images
RewriteCond %{HTTP_ACCEPT} image/webp
# Check if WebP replacement image exists
RewriteCond %{DOCUMENT_ROOT}/$1.webp -f
# Serve WebP image instead
RewriteRule (.+)\.(jpe?g|png)$ $1.webp [T=image/webp,E=accept:1]
# Route requests to the latest deployment public folder
RewriteCond %{REQUEST_URI} !^/{{PUBLIC_FOLDER}}/
RewriteRule (.*) {{PUBLIC_FOLDER}}/$1 [L]
# Filename-based cache busting
# Rewrites all requests such as `/css/style.12sf65.css` to `/css/style.css`.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+)\.([a-zA-Z0-9]+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ $1.$3 [L]
# Serve resources with far-future expires headers
ExpiresActive on
ExpiresDefault "access plus 0 seconds"
# CSS
ExpiresByType text/css "access plus 1 year"
# HTML
ExpiresByType text/html "access plus 0 seconds"
# JavaScript
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"