Skip to content

Latest commit

 

History

History
302 lines (248 loc) · 17 KB

CHANGELOG.md

File metadata and controls

302 lines (248 loc) · 17 KB

5.1.0 (May 9, 2022)

  • Extend default, media and font cache TTL to 1 year [5df6946]
  • Support ETags at server level [7956cbc]
  • Add image/x-icon compression support [69ddeda]
  • Improve module checks validations [cb8ef1b]
  • Improve inline comments

5.0.0 (July 31, 2021)

  • ⚠️ Breaking: End of support for Internet Explorer (X-UA-Compatible and X-XSS-Protection headers) [d1fb502]
    [22014cb]
  • 🎉 Security first! Modernize TLS configuration [55c364d]
  • 🎉 Security first! Refresh policies-related headers usage
    • Add Cross Origin Policies headers (COOP/COEP/CORP) [9d2cb74]
    • Add Permissions-Policy header [86494cc]
    • Make Content-Security-Policy disallow 'object-src' by default [f993710]
  • Add mime-type image/jxl [da3ce54]
  • Fix SSLSessionCache directive usage [64e33e8]
  • Improve inline comments.

4.1.0 (January 5, 2021)

  • Add mime-type image/avif and image/avifs [4ca46af]
  • Fix unexpected Content-Language in pre-compressed Brotli [1f5641d]
  • Added systemd module to support CentOS [5d060b0]
  • Improve inline comments.

4.0.0 (April 14, 2020)

  • 🎉 Server-level config! Support httpd configuration at main server level. Add httpd.conf file, vhost management, secure HTTP tweaking, etc. See the README [b50205a...c302596]
  • ⚠️ Breaking: End of support for Apache httpd version 2.4.9 and below [baa9cdd]
  • ⚠️ Breaking: File paths changes for the .htaccess build system [478ceab] [9cb2763]
  • Rewrite, improve and update a large part of the documentation [5dc823c] [5748d26] [d8553ee] [6862ac1] [ade3659]
  • Default to HSTS only over secure connections [5bbc0a1]
  • Stricter default for Referrer Policy strict-origin-when-cross-origin [43bcb83]
  • Add APNG (.apng) MIME type [ad25d31]
  • Ensure the presence of security headings where expected [d656422] [43bcb83] [d84d94c]
  • Make disabling TRACE method usable in a .htaccess file [9ae931c]
  • Improve inline comments.

3.2.1 (May 8, 2019)

3.2.0 (May 6, 2019)

  • Enhance CSP policy [f48934b]
  • Common headers addition based on MIME-types instead of file extensions [a880772...64cb33d]
  • Always unset X-Powered-By header [1470258]
  • Support hashed asset names in cache-busting [33f8006]
  • Switch application/vnd.geo+json to application/geo+json [35cbd63]
  • New test system using server-configs-test [3ae257c]
  • Improve inline comments.

3.1.0 (February 8, 2019)

  • Remove P3P iframe cookies directives [ccce7b8]
  • Add TraceEnable Off directive [0a2f70e]
  • Support hashed asset names in cache-busting [33f8006]
  • Allow SSL certificate set up over HTTP [54b6176..993127d]
  • Rename cache expiration rules file to cache_expiration.conf to make it more generic [11690c6]
  • Improve inline comments.

3.0.0 (April 16, 2018)

  • ⚠️ Breaking: End of support for Apache httpd version 2.3 and below [7d296c3]
  • 🎉 New build system! Configurable build and customizable generation. See the README [5896349]
  • Add Referrer-Policy header template [591083e]
  • Switch back .js-files and .mjs-files media-type to text/javascript [690f4ad]
  • Add pre-compressed content handling template [52639ab]
  • Add WebAssembly module (.wasm) MIME type [a2e7d7b]
  • Improve inline comments.

2.15.0 (October 8, 2017)

  • Serve .md and .markdown files as text/markdown [bfcafd3].
  • Add font MIME types per RFC 8081 [20b446e].
  • Mark .mjs files as JavaScript [c00975c].
  • Add calendar filetype (.ics) [002a110].
  • Block Mercurial .orig files [4c13648].
  • Fix enforcing www/no-www with HTTPS [fc747bb].
  • Drop Bower support [ee6cd75].
  • Fix HTTPS enforcement rule [11e523d].
  • Improve inline comments.

2.14.0 (April 4, 2015)

  • Update the web app manifest file related configs [e603554].

2.13.0 (March 4, 2015)

  • Remove the mapping of .manifest files to the text/cache-manifest media type [c805353].
  • Remove the mapping of .php files to the text/html media type [daab35b].

2.12.0 (March 2, 2015)

  • Add ServerSignature Off [#58].
  • Change media types for .atom and .rss files [#50].
  • Send the HSTS header even for non-2xx responses [#57].
  • Add configs that remove the X-Powered-By HTTP response header [#54].
  • Add expires rules for WebP [#61].

2.11.0 (October 27, 2014)

  • Add configs for common media types used for .woff files [e602ae9].
  • Add configs for files marked as text/x-cross-domain-policy [a0c4e17].
  • Add configs for files marked as image/vnd.microsoft.icon [0ba37cb].
  • Add configs for files marked as font/eot [6dae5d4].

2.10.0 (October 20, 2014)

  • Add bower.json and publish on Bower [3425f72].
  • Improve inline comments.
  • Add configs for files marked as application/x-javascript [23793d8].
  • Add configs for bitmap image files (.bmp) [77ccf9e].
  • Compress vCard files (.vcard/.vcf). [a076635].
  • Serve vCard files (.vcard/.vcf) with the text/vcard media type [104f232].
  • Add configs for BlackBerry Maps location documents (.xloc) [20000d1].
  • Add configs for BlackBerry App World files (.bbaw) [352fb62].

2.9.0 (October 15, 2014)

  • Update example regarding forcing https:// [060b70c].

2.8.0 (September 13, 2014)

  • Improve configs for .rdf files [742d148].
  • Add example on how to allow cross-origin access to the resource's timing information [3df6768].
  • Add configs for files marked as text/javascript [db69327].
  • Add configs for JSON Schema files (.json) [#39].

2.7.1 (August 3, 2014)

  • Update package.json and publish on npm [#33].

2.7.0 (July 28, 2014)

  • Add configs for TopoJSON files (.topojson) [#34].

2.6.0 (July 3, 2014)

  • Add configs for WOFF 2.0 font files (.woff2) [#32].
  • Add configs for GeoJSON files (.geojson) [16d3965].

2.5.0 (June 14, 2014)

  • Compress cache manifest files (.appcache/.manifest) [d819fec].
  • Move all compression related configs under the Compression section [73a107e].

2.4.1 (June 7, 2014)

  • Improve and update inline comments.

2.4.0 (June 3, 2014)

  • Add configs for web application manifest files [#29].
  • Allow access to the content from within the /.well-known/ directory [#31].
  • Forbid access to .conf files.
  • Add the no-transform value to the Cache-Control HTTP response header without overwriting existing values.
  • Add cur, ico, svg, svgz and webp to the filename-based cache busting list.
  • Add configs for text files (.txt) [b5bda65].
  • Compress WebVTT files (.vtt) [0bb12c8].
  • Reintroduce the filename extension to content type mappings for ico and svg [#28].

2.3.0 (April 10, 2014)

  • Send X-Content-Type-Options header by default [edd912d].

2.2.0 (February 3, 2014)

  • Remove example regarding persistent connections [#20].
  • Improve the <FilesMatch> regular expressions.
  • Add configs for JSON-LD (JSON for Linking Data) files [#17].

2.1.0 (December 31, 2013)

  • Serve source map files with the application/json content-type [7d114e8].
  • Make RewriteConds for example.com → www.example.com more permissive [#11].
  • Add configs for Ogg Opus audio files [#13].

2.0.0 (November 12, 2013)

  • Add example on how to mitigate reflected (a.k.a non-persistent) XSS attacks [#8].
  • Add example on how to provide clickjacking protection [#8].
  • Add example on how to reduce MIME type security risks [#8].
  • Add configs for cursor images (.cur) [a795fff].
  • Fix backup and source file blocking for Apache v2.3+ [#5].
  • Remove filename extension to content type mappings that are already provided by Apache v2.2.0+ [#4].
  • Improve inline comments.
  • Remove screen flicker fix required by IE 6 [#3].

1.1.0 (July 27, 2013)

  • Remove Chrome Frame HTTP header hint.

1.0.0 (July 27, 2013)