h5bp · necolas · Jul 31, 2012 · Jul 29, 2012
diff --git a/.htaccess b/.htaccess
@@ -1,22 +1,15 @@
 # Apache configuration file
 # httpd.apache.org/docs/2.2/mod/quickreference.html
 
-# Note .htaccess files are an overhead, this logic should be in your Apache config if possible
-# httpd.apache.org/docs/2.2/howto/htaccess.html
+# Note .htaccess files are an overhead, this logic should be in your Apache
+# config if possible: httpd.apache.org/docs/2.2/howto/htaccess.html
 
 # Techniques in here adapted from all over, including:
 #   Kroc Camen: camendesign.com/.htaccess
 #   perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
 #   Sample .htaccess file of CMS MODx: modxcms.com
 
 
-###
-### If you run a webserver other than Apache, consider:
-### github.com/h5bp/server-configs
-###
-
-
-
 # ----------------------------------------------------------------------
 # Better website experience for IE users
 # ----------------------------------------------------------------------
@@ -83,12 +76,10 @@
 </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # Proper MIME type for all files
 # ----------------------------------------------------------------------
 
-
 # JavaScript
 #   Normalize to standard type (it's sniffed in IE anyways)
 #   tools.ietf.org/html/rfc4329#section-7.2
@@ -143,15 +134,14 @@ AddType text/vtt                            vtt
 # and they would be included into this single file.
 
 # This is not in use in the boilerplate as it stands. You may
-# choose to name your files in this way for this advantage or
-# concatenate and minify them manually.
-# Disabled by default.
+# choose to use this technique if you do not have a build process.
 
 #<FilesMatch "\.combined\.js$">
 #  Options +Includes
 #  AddOutputFilterByType INCLUDES application/javascript application/json
 #  SetOutputFilter INCLUDES
 #</FilesMatch>
+
 #<FilesMatch "\.combined\.css$">
 #  Options +Includes
 #  AddOutputFilterByType INCLUDES text/css
@@ -217,8 +207,8 @@ AddType text/vtt                            vtt
 # Additionally, consider that outdated proxies may miscache
 #   www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
 
-# If you don't use filenames to version, lower the CSS  and JS to something like
-#   "access plus 1 week" or so.
+# If you don't use filenames to version, lower the CSS and JS to something like
+# "access plus 1 week".
 
 <IfModule mod_expires.c>
   ExpiresActive on
@@ -269,19 +259,20 @@ AddType text/vtt                            vtt
 
 </IfModule>
 
+
 # ----------------------------------------------------------------------
 # Prevent mobile network providers from modifying your site
 # ----------------------------------------------------------------------
 
-# The following header prevents modification of your code over 3G on some European providers
-# This is the official 'bypass' suggested by O2 in the UK
+# The following header prevents modification of your code over 3G on some
+# European providers.
+# This is the official 'bypass' suggested by O2 in the UK.
 
 # <IfModule mod_headers.c>
 # Header set Cache-Control "no-transform"
 # </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # ETag removal
 # ----------------------------------------------------------------------
@@ -297,58 +288,54 @@ AddType text/vtt                            vtt
 FileETag None
 
 
-
 # ----------------------------------------------------------------------
 # Stop screen flicker in IE on CSS rollovers
 # ----------------------------------------------------------------------
 
 # The following directives stop screen flicker in IE on CSS rollovers - in
-# combination with the "ExpiresByType" rules for images (see above). If
-# needed, un-comment the following rules.
+# combination with the "ExpiresByType" rules for images (see above).
 
 # BrowserMatch "MSIE" brokenvary=1
 # BrowserMatch "Mozilla/4.[0-9]{2}" brokenvary=1
 # BrowserMatch "Opera" !brokenvary
 # SetEnvIf brokenvary 1 force-no-vary
 
 
-
 # ----------------------------------------------------------------------
 # Set Keep-Alive Header
 # ----------------------------------------------------------------------
 
-# Keep-Alive allows the server to send multiple requests through one TCP-connection.
-# Be aware of possible disadvantages of this setting. Turn on if you serve a lot of
-# static content.
+# Keep-Alive allows the server to send multiple requests through one
+# TCP-connection. Be aware of possible disadvantages of this setting. Turn on
+# if you serve a lot of static content.
 
 # <IfModule mod_headers.c>
 #   Header set Connection Keep-Alive
 # </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # Cookie setting from iframes
 # ----------------------------------------------------------------------
 
 # Allow cookies to be set from iframes (for IE only)
-# If needed, uncomment and specify a path or regex in the Location directive
+# If needed, specify a path or regex in the Location directive.
 
 # <IfModule mod_headers.c>
 #   Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
 # </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # Start rewrite engine
 # ----------------------------------------------------------------------
 
-# Turning on the rewrite engine is necessary for the following rules and features.
-# FollowSymLinks must be enabled for this to work.
+# Turning on the rewrite engine is necessary for the following rules and
+# features. FollowSymLinks must be enabled for this to work.
 #
-# Some cloud hosting services require RewriteBase to be set: goo.gl/HOcPN
-# If using the h5bp in a subdirectory, use `RewriteBase /foo` instead where 'foo' is your directory.
+# Some cloud hosting services require RewriteBase to be set: goo.gl/HOcPN If
+# using the h5bp in a subdirectory, use `RewriteBase /foo` instead where 'foo'
+# is your directory.
 
 <IfModule mod_rewrite.c>
   Options +FollowSymlinks
@@ -357,26 +344,27 @@ FileETag None
 </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # Suppress or force the "www." at the beginning of URLs
 # ----------------------------------------------------------------------
 
-# The same content should never be available under two different URLs - especially not with and
-# without "www." at the beginning, since this can cause SEO problems (duplicate content).
-# That's why you should choose one of the alternatives and redirect the other one.
+# The same content should never be available under two different URLs -
+# especially not with and without "www." at the beginning, since this can cause
+# SEO problems (duplicate content). That's why you should choose one of the
+# alternatives and redirect the other one.
 
-# By default option 1 (no "www.") is activated. Remember: Shorter URLs are sexier.
+# By default option 1 (no "www.") is activated.
 # no-www.org/faq.php?q=class_b
 
-# If you rather want to use option 2, just comment out all option 1 lines
+# If you'd prefer to use option 2, just comment out all option 1 lines
 # and uncomment option 2.
+
 # IMPORTANT: NEVER USE BOTH RULES AT THE SAME TIME!
 
 # ----------------------------------------------------------------------
 
 # Option 1:
-# Rewrite "www.example.com -> example.com"
+# Rewrite "www.example.com -> example.com".
 
 <IfModule mod_rewrite.c>
   RewriteCond %{HTTPS} !=on
@@ -387,9 +375,9 @@ FileETag None
 # ----------------------------------------------------------------------
 
 # Option 2:
-# To rewrite "example.com -> www.example.com" uncomment the following lines.
-# Be aware that the following rule might not be a good idea if you
-# use "real" subdomains for certain parts of your website.
+# Rewrite "example.com -> www.example.com".
+# Be aware that the following rule might not be a good idea if you use "real"
+# subdomains for certain parts of your website.
 
 # <IfModule mod_rewrite.c>
 #   RewriteCond %{HTTPS} !=on
@@ -398,7 +386,6 @@ FileETag None
 # </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # Built-in filename-based cache busting
 # ----------------------------------------------------------------------
@@ -410,41 +397,37 @@ FileETag None
 # To understand why this is important and a better idea than all.css?v1231,
 # read: github.com/h5bp/html5-boilerplate/wiki/cachebusting
 
-# Uncomment to enable.
 # <IfModule mod_rewrite.c>
 #   RewriteCond %{REQUEST_FILENAME} !-f
 #   RewriteCond %{REQUEST_FILENAME} !-d
 #   RewriteRule ^(.+)\.(\d+)\.(js|css|png|jpg|gif)$ $1.$3 [L]
 # </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # Prevent SSL cert warnings
 # ----------------------------------------------------------------------
 
 # Rewrite secure requests properly to prevent SSL cert warnings, e.g. prevent
 # https://www.example.com when your cert only allows https://secure.example.com
-# Uncomment the following lines to use this feature.
 
 # <IfModule mod_rewrite.c>
 #   RewriteCond %{SERVER_PORT} !^443
 #   RewriteRule ^ https://example-domain-please-change-me.com%{REQUEST_URI} [R=301,L]
 # </IfModule>
 
 
-
 # ----------------------------------------------------------------------
 # Prevent 404 errors for non-existing redirected folders
 # ----------------------------------------------------------------------
 
-# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the same name does not exist
-#   e.g. /blog/hello : webmasterworld.com/apache/3808792.htm
+# without -MultiViews, Apache will give a 404 for a rewrite if a folder of the
+# same name does not exist.
+# webmasterworld.com/apache/3808792.htm
 
 Options -MultiViews
 
 
-
 # ----------------------------------------------------------------------
 # Custom 404 page
 # ----------------------------------------------------------------------
@@ -455,7 +438,6 @@ Options -MultiViews
 ErrorDocument 404 /404.html
 
 
-
 # ----------------------------------------------------------------------
 # UTF-8 encoding
 # ----------------------------------------------------------------------
@@ -467,45 +449,40 @@ AddDefaultCharset utf-8
 AddCharset utf-8 .atom .css .js .json .rss .vtt .xml
 
 
-
 # ----------------------------------------------------------------------
 # A little more security
 # ----------------------------------------------------------------------
 
-
-# Do we want to advertise the exact version number of Apache we're running?
-# Probably not.
-## This can only be enabled if used in httpd.conf - It will not work in .htaccess
+# To avoid displaying the exact version number of Apache being used, add the
+# following to httpd.conf (it will not work in .htaccess):
 # ServerTokens Prod
 
-
-# "-Indexes" will have Apache block users from browsing folders without a default document
-# Usually you should leave this activated, because you shouldn't allow everybody to surf through
-# every folder on your server (which includes rather private places like CMS system folders).
+# "-Indexes" will have Apache block users from browsing folders without a
+# default document Usually you should leave this activated, because you
+# shouldn't allow everybody to surf through every folder on your server (which
+# includes rather private places like CMS system folders).
 <IfModule mod_autoindex.c>
   Options -Indexes
 </IfModule>
 
-
-# Block access to "hidden" directories or files whose names begin with a period. This
-# includes directories used by version control systems such as Subversion or Git.
+# Block access to "hidden" directories or files whose names begin with a
+# period. This includes directories used by version control systems such as
+# Subversion or Git.
 <IfModule mod_rewrite.c>
   RewriteCond %{SCRIPT_FILENAME} -d [OR]
   RewriteCond %{SCRIPT_FILENAME} -f
   RewriteRule "(^|/)\." - [F]
 </IfModule>
 
-
-# Block access to backup and source files
-# These files may be left by some text/html editors and
-# pose a great security danger, when anyone can access them
+# Block access to backup and source files. These files may be left by some
+# text/html editors and pose a great security danger, when anyone can access
+# them.
 <FilesMatch "(\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$">
   Order allow,deny
   Deny from all
   Satisfy All
 </FilesMatch>
 
-
 # If your server is not already configured as such, the following directive
 # should be uncommented in order to set PHP's register_globals option to OFF.
 # This closes a major security hole that is abused by most XSS (cross-site

diff --git a/crossdomain.xml b/crossdomain.xml
@@ -1,22 +1,15 @@
 <?xml version="1.0"?>
 <!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
 <cross-domain-policy>
+    <!-- Read this: www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
 
-<!-- Read this: www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
-
-<!-- Most restrictive policy: -->
+    <!-- Most restrictive policy: -->
     <site-control permitted-cross-domain-policies="none"/>
 
-<!-- Least restrictive policy: -->
-<!--
+    <!-- Least restrictive policy: -->
+    <!--
     <site-control permitted-cross-domain-policies="all"/>
     <allow-access-from domain="*" to-ports="*" secure="false"/>
     <allow-http-request-headers-from domain="*" headers="*" secure="false"/>
--->
-<!--
-  If you host a crossdomain.xml file with allow-access-from domain="*"
-  and don’t understand all of the points described here, you probably
-  have a nasty security vulnerability. ~ simon willison
--->
-
+    -->
 </cross-domain-policy>