October 2, 2015 in Classic self-hosted technical help
ok, after some ssl test and some other website for test my server,
i've see this and i've found inside it more report to fix and improve my config: https://www.dareboost.com/en/home
# Enable expirations
# Default directive
ExpiresDefault "access plus 1 month"
# My favicon
ExpiresByType image/x-icon "access plus 1 year”
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType text/css "access 1 month”
# Header Security:
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header set Connection keep-alive
from startin a bad result of 56, now i've 77!
ipb, atm, has 71.
yes, i've also enabled gzip in server and memcached + opcache (before no cache), and add script before body! but now all seems to work fine and really best.
someone have any info for this?
i want try to enable also http://www.html5rocks.com/en/tutorials/security/content-security-policy/
but im not sure if is a good idea with ipb
Using an .htaccess file will never get a serious performance on your server and is the main reason to move to Nginx.
Ok, but i don't have nginx, cause of it i want try to improve my resource
ps: i've put also this:
Header set Content-Security-Policy "default-src https:; connect-src https:; font-src https: data:; frame-src https:; img-src https: data:; media-src https:; object-src https:; script-src 'unsafe-inline' 'unsafe-eval' https:; style-src 'unsafe-inline' https:;"
all work fine, but is valid for https setup (in other words, accept from all, but only if is in https)!
This topic is now archived and is closed to further replies.
Started November 13
Started August 15
Started 5 hours ago