- Extend default, media and font cache TTL to 1 year [5df6946]
- Support
ETags
at server level [7956cbc] - Add
image/x-icon
compression support [69ddeda] - Improve module checks validations [cb8ef1b]
- Improve inline comments
⚠️ Breaking: End of support for Internet Explorer (X-UA-Compatible
andX-XSS-Protection
headers) [d1fb502]
[22014cb]- 🎉 Security first! Modernize TLS configuration [55c364d]
- 🎉 Security first! Refresh policies-related headers usage
- Add mime-type
image/jxl
[da3ce54] - Fix
SSLSessionCache
directive usage [64e33e8] - Improve inline comments.
- Add mime-type
image/avif
andimage/avifs
[4ca46af] - Fix unexpected Content-Language in pre-compressed Brotli [1f5641d]
- Added
systemd
module to support CentOS [5d060b0] - Improve inline comments.
- 🎉 Server-level config! Support httpd configuration at main server level.
Add
httpd.conf
file, vhost management, secure HTTP tweaking, etc. See the README [b50205a...c302596] ⚠️ Breaking: End of support for Apache httpd version 2.4.9 and below [baa9cdd]⚠️ Breaking: File paths changes for the.htaccess
build system [478ceab] [9cb2763]- Rewrite, improve and update a large part of the documentation [5dc823c] [5748d26] [d8553ee] [6862ac1] [ade3659]
- Default to HSTS only over secure connections [5bbc0a1]
- Stricter default for Referrer Policy
strict-origin-when-cross-origin
[43bcb83] - Add APNG (
.apng
) MIME type [ad25d31] - Ensure the presence of security headings where expected [d656422] [43bcb83] [d84d94c]
- Make disabling TRACE method usable in a
.htaccess
file [9ae931c] - Improve inline comments.
- Fix npm releasing [4b0ee86]
- Enhance CSP policy [f48934b]
- Common headers addition based on MIME-types instead of file extensions [a880772...64cb33d]
- Always unset
X-Powered-By
header [1470258] - Support hashed asset names in cache-busting [33f8006]
- Switch
application/vnd.geo+json
toapplication/geo+json
[35cbd63] - New test system using server-configs-test [3ae257c]
- Improve inline comments.
- Remove P3P iframe cookies directives [ccce7b8]
- Add
TraceEnable Off
directive [0a2f70e] - Support hashed asset names in cache-busting [33f8006]
- Allow SSL certificate set up over HTTP [54b6176..993127d]
- Rename cache expiration rules file to
cache_expiration.conf
to make it more generic [11690c6] - Improve inline comments.
⚠️ Breaking: End of support for Apache httpd version 2.3 and below [7d296c3]- 🎉 New build system! Configurable build and customizable generation. See the README [5896349]
- Add Referrer-Policy header template [591083e]
- Switch back
.js
-files and.mjs
-files media-type totext/javascript
[690f4ad] - Add pre-compressed content handling template [52639ab]
- Add WebAssembly module (
.wasm
) MIME type [a2e7d7b] - Improve inline comments.
- Serve
.md
and.markdown
files astext/markdown
[bfcafd3]. - Add font MIME types per RFC 8081 [20b446e].
- Mark
.mjs
files as JavaScript [c00975c]. - Add calendar filetype (
.ics
) [002a110]. - Block Mercurial
.orig
files [4c13648]. - Fix enforcing www/no-www with HTTPS [fc747bb].
- Drop Bower support [ee6cd75].
- Fix HTTPS enforcement rule [11e523d].
- Improve inline comments.
- Update the web app manifest file related configs [e603554].
- Remove the mapping of
.manifest
files to thetext/cache-manifest
media type [c805353]. - Remove the mapping of
.php
files to thetext/html
media type [daab35b].
- Add
ServerSignature Off
[#58]. - Change media types for
.atom
and.rss
files [#50]. - Send the HSTS header even for non-2xx responses [#57].
- Add configs that remove the
X-Powered-By
HTTP response header [#54]. - Add expires rules for WebP [#61].
- Add configs for common media types used for
.woff
files [e602ae9]. - Add configs for files marked as
text/x-cross-domain-policy
[a0c4e17]. - Add configs for files marked as
image/vnd.microsoft.icon
[0ba37cb]. - Add configs for files marked as
font/eot
[6dae5d4].
- Add
bower.json
and publish onBower
[3425f72]. - Improve inline comments.
- Add configs for files marked as
application/x-javascript
[23793d8]. - Add configs for bitmap image files (
.bmp
) [77ccf9e]. - Compress vCard files (
.vcard
/.vcf
). [a076635]. - Serve vCard files (
.vcard
/.vcf
) with thetext/vcard
media type [104f232]. - Add configs for BlackBerry Maps location documents (
.xloc
) [20000d1]. - Add configs for BlackBerry App World files (
.bbaw
) [352fb62].
- Update example regarding forcing
https://
[060b70c].
- Improve configs for
.rdf
files [742d148]. - Add example on how to allow cross-origin access to the resource's timing information [3df6768].
- Add configs for files marked as
text/javascript
[db69327]. - Add configs for JSON Schema files (
.json
) [#39].
- Update
package.json
and publish onnpm
[#33].
- Add configs for TopoJSON files (
.topojson
) [#34].
- Add configs for WOFF 2.0 font files (
.woff2
) [#32]. - Add configs for GeoJSON files (
.geojson
) [16d3965].
- Compress cache manifest files (
.appcache
/.manifest
) [d819fec]. - Move all compression related configs under the
Compression
section [73a107e].
- Improve and update inline comments.
- Add configs for web application manifest files [#29].
- Allow access to the content from within the
/.well-known/
directory [#31]. - Forbid access to
.conf
files. - Add the
no-transform
value to theCache-Control
HTTP response header without overwriting existing values. - Add
cur
,ico
,svg
,svgz
andwebp
to the filename-based cache busting list. - Add configs for text files (
.txt
) [b5bda65]. - Compress WebVTT files (
.vtt
) [0bb12c8]. - Reintroduce the
filename extension
tocontent type
mappings forico
andsvg
[#28].
- Send
X-Content-Type-Options
header by default [edd912d].
- Remove example regarding
persistent connections
[#20]. - Improve the
<FilesMatch>
regular expressions. - Add configs for JSON-LD (JSON for Linking Data) files [#17].
- Serve source map files with the
application/json
content-type [7d114e8]. - Make
RewriteCond
s forexample.com → www.example.com
more permissive [#11]. - Add configs for Ogg Opus audio files [#13].
- Add example on how to mitigate reflected (a.k.a non-persistent) XSS attacks [#8].
- Add example on how to provide clickjacking protection [#8].
- Add example on how to reduce MIME type security risks [#8].
- Add configs for cursor images (
.cur
) [a795fff]. - Fix backup and source file blocking for Apache v2.3+ [#5].
- Remove filename extension to content type mappings that are already provided by Apache v2.2.0+ [#4].
- Improve inline comments.
- Remove
screen flicker
fix required by IE 6 [#3].
- Remove Chrome Frame HTTP header hint.