chore(release): 1.0.0 [skip ci]

# 1.0.0 (2020-08-22)

### Bug Fixes

* add load-config.yml task ([03cfc3b](03cfc3b))
* add vendor files ([7b6d324](7b6d324))
* nginx conf template path ([f0be945](f0be945))

### Features

* add .gitmodules ([1aa86b0](1aa86b0))
* add galaxy.yml ([6bd5bcd](6bd5bcd))

Author: stackhead-bot

vendor/server-configs-nginx/h5bp/basic.conf

@@ -0,0 +1,10 @@
+# Nginx Server Configs | MIT License
+# https://github.com/h5bp/server-configs-nginx
+
+include h5bp/internet_explorer/x-ua-compatible.conf;
+include h5bp/security/referrer-policy.conf;
+include h5bp/security/x-content-type-options.conf;
+include h5bp/security/x-frame-options.conf;
+include h5bp/security/x-xss-protection.conf;
+include h5bp/location/security_file_access.conf;
+include h5bp/cross-origin/requests.conf;

vendor/server-configs-nginx/h5bp/cross-origin/requests.conf

@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------------
+# | Cross-origin requests                                              |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin requests.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+# https://enable-cors.org/
+# https://www.w3.org/TR/cors/
+
+# (!) Do not use this without understanding the consequences.
+#     This will permit access from any other website.
+#     Instead of using this file, consider using a specific rule such as
+#     allowing access based on (sub)domain:
+#
+#         add_header Access-Control-Allow-Origin "subdomain.example.com";
+
+add_header Access-Control-Allow-Origin $cors;

vendor/server-configs-nginx/h5bp/cross-origin/resource_timing.conf

@@ -0,0 +1,15 @@
+# ----------------------------------------------------------------------
+# | Cross-origin resource timing                                       |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin access to the timing information for all resources.
+#
+# If a resource isn't served with a `Timing-Allow-Origin` header that would
+# allow its timing information to be shared with the document, some of the
+# attributes of the `PerformanceResourceTiming` object will be set to zero.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
+# https://www.w3.org/TR/resource-timing/
+# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
+
+add_header Timing-Allow-Origin "*";

vendor/server-configs-nginx/h5bp/errors/custom_errors.conf

@@ -0,0 +1,9 @@
+# ----------------------------------------------------------------------
+# | Custom error messages/pages                                        |
+# ----------------------------------------------------------------------
+
+# Customize what Nginx returns to the client in case of an error.
+#
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
+
+error_page 404 /404.html;

vendor/server-configs-nginx/h5bp/internet_explorer/x-ua-compatible.conf

@@ -0,0 +1,19 @@
+# ----------------------------------------------------------------------
+# | Document modes                                                     |
+# ----------------------------------------------------------------------
+
+# Force Internet Explorer 8/9/10 to render pages in the highest mode
+# available in various cases when it may not.
+#
+# https://hsivonen.fi/doctype/#ie8
+#
+# (!) Starting with Internet Explorer 11, document modes are deprecated.
+#     If your business still relies on older web apps and services that were
+#     designed for older versions of Internet Explorer, you might want to
+#     consider enabling `Enterprise Mode` throughout your company.
+#
+# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
+# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
+# https://msdn.microsoft.com/en-us/library/ff955275.aspx
+
+add_header X-UA-Compatible $x_ua_compatible;

vendor/server-configs-nginx/h5bp/location/security_file_access.conf

@@ -0,0 +1,41 @@
+# ----------------------------------------------------------------------
+# | File access                                                        |
+# ----------------------------------------------------------------------
+
+# Block access to all hidden files and directories except for the
+# visible content from within the `/.well-known/` hidden directory.
+#
+# These types of files usually contain user preferences or the preserved state
+# of a utility, and can include rather private places like, for example, the
+# `.git` or `.svn` directories.
+#
+# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
+# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
+# `/.well-known/keybase.txt`), and therefore, access to its visible content
+# should not be blocked.
+#
+# https://www.mnot.net/blog/2010/04/07/well-known
+# https://tools.ietf.org/html/rfc5785
+
+location ~* /\.(?!well-known\/) {
+  deny all;
+}
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Block access to files that can expose sensitive information.
+#
+# By default, block access to backup and source files that may be left by some
+# text editors and can pose a security risk when anyone has access to them.
+#
+# https://feross.org/cmsploit/
+#
+# (!) Update the `location` regular expression from below to include any files
+#     that might end up on your production server and can expose sensitive
+#     information about your website. These files may include: configuration
+#     files, files that contain metadata about the project (e.g.: project
+#     dependencies, build scripts, etc.).
+
+location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
+  deny all;
+}

vendor/server-configs-nginx/h5bp/location/web_performance_filename-based_cache_busting.conf

@@ -0,0 +1,14 @@
+# ----------------------------------------------------------------------
+# | Filename-based cache busting                                       |
+# ----------------------------------------------------------------------
+
+# If you're not using a build process to manage your filename version revving,
+# you might want to consider enabling the following directives.
+#
+# To understand why this is important and even a better solution than using
+# something like `*.css?v231`, please see:
+# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
+
+location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {
+  try_files $uri $1.$2;
+}

vendor/server-configs-nginx/h5bp/location/web_performance_svgz-compression.conf

@@ -0,0 +1,16 @@
+# ----------------------------------------------------------------------
+# | SVGZ Compression                                                   |
+# ----------------------------------------------------------------------
+
+# SVGZ files are already compressed.
+# Disable gzip function for `.svgz` files.
+
+location ~* \.svgz$ {
+    gzip off;
+    add_header Content-Encoding gzip;
+
+    include h5bp/security/x-content-type-options.conf;
+    include h5bp/security/content-security-policy.conf;
+    include h5bp/security/referrer-policy.conf;
+    include h5bp/cross-origin/requests.conf;
+}

vendor/server-configs-nginx/h5bp/media_types/character_encodings.conf

@@ -0,0 +1,32 @@
+# ----------------------------------------------------------------------
+# | Character encodings                                                |
+# ----------------------------------------------------------------------
+
+# Serve all resources labeled as `text/html` or `text/plain` with the media type
+# `charset` parameter set to `UTF-8`.
+#
+# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
+
+charset utf-8;
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Update charset_types to match updated mime.types.
+# `text/html` is always included by charset module.
+# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
+#
+# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types
+
+charset_types
+    text/css
+    text/plain
+    text/vnd.wap.wml
+    text/javascript
+    text/markdown
+    text/calendar
+    text/x-component
+    text/vcard
+    text/cache-manifest
+    text/vtt
+    application/json
+    application/manifest+json;

vendor/server-configs-nginx/h5bp/media_types/media_types.conf

@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------------
+# | Media types                                                        |
+# ----------------------------------------------------------------------
+
+# Serve resources with the proper media types (f.k.a. MIME types).
+#
+# https://www.iana.org/assignments/media-types/media-types.xhtml
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#types
+
+include mime.types;
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Default: text/plain
+#
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
+
+default_type application/octet-stream;

vendor/server-configs-nginx/h5bp/security/content-security-policy.conf

@@ -0,0 +1,27 @@
+# ----------------------------------------------------------------------
+# | Content Security Policy (CSP)                                      |
+# ----------------------------------------------------------------------
+
+# Mitigate the risk of cross-site scripting and other content-injection
+# attacks.
+#
+# This can be done by setting a `Content Security Policy` which whitelists
+# trusted sources of content for your website.
+#
+# There is no policy that fits all websites, you will have to modify the
+# `Content-Security-Policy` directives in the example depending on your needs.
+#
+# To make your CSP implementation easier, you can use an online CSP header
+# generator such as:
+# https://report-uri.com/home/generate/
+#
+# It is encouraged that you validate your CSP header using a CSP validator
+# such as:
+# https://csp-evaluator.withgoogle.com
+#
+# https://csp.withgoogle.com/docs/
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
+# https://www.w3.org/TR/CSP/
+
+add_header Content-Security-Policy $content_security_policy always;

vendor/server-configs-nginx/h5bp/security/referrer-policy.conf

@@ -0,0 +1,23 @@
+# ----------------------------------------------------------------------
+# | Referrer Policy                                                    |
+# ----------------------------------------------------------------------
+
+# Set a strict Referrer Policy to mitigate information leakage.
+#
+# (1) The `Referrer-Policy` header is included in responses for resources
+#     that are able to request (or navigate to) other resources.
+#
+#     This includes the commonly used resource types:
+#     HTML, CSS, XML/SVG, PDF documents, scripts and workers.
+#
+# To prevent referrer leakage entirely, specify the `no-referrer` value
+# instead. Note that the effect could impact analytics metrics negatively.
+#
+# To check your Referrer Policy, you can use an online service, such as:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
+#
+# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+
+add_header Referrer-Policy $referrer_policy always;

vendor/server-configs-nginx/h5bp/security/server_software_information.conf

@@ -0,0 +1,9 @@
+# ----------------------------------------------------------------------
+# | Server software information                                        |
+# ----------------------------------------------------------------------
+
+# Prevent Nginx from sending its version number in the "Server" response header.
+#
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
+
+server_tokens off;

vendor/server-configs-nginx/h5bp/security/strict-transport-security.conf

@@ -0,0 +1,38 @@
+# ----------------------------------------------------------------------
+# | HTTP Strict Transport Security (HSTS)                              |
+# ----------------------------------------------------------------------
+
+# Force client-side TLS (Transport Layer Security) redirection.
+#
+# If a user types `example.com` in their browser, even if the server redirects
+# them to the secure version of the website, that still leaves a window of
+# opportunity (the initial HTTP connection) for an attacker to downgrade or
+# redirect the request.
+#
+# The following header ensures that a browser only connects to your server
+# via HTTPS, regardless of what the users type in the browser's address bar.
+#
+# (!) Be aware that Strict Transport Security is not revokable and you
+#     must ensure being able to serve the site over HTTPS for the duration
+#     you've specified in the `max-age` directive. When you don't have a
+#     valid TLS connection anymore (e.g. due to an expired TLS certificate)
+#     your visitors will see a nasty error message even when attempting to
+#     connect over HTTP.
+#
+# (1) Preloading Strict Transport Security.
+#     To submit your site for HSTS preloading, it is required that:
+#     * the `includeSubDomains` directive is specified
+#     * the `preload` directive is specified
+#     * the `max-age` is specified with a value of at least 31536000 seconds
+#       (1 year).
+#     https://hstspreload.org/#deployment-recommendations
+#
+# https://tools.ietf.org/html/rfc6797#section-6.1
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
+# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
+# https://hstspreload.org/
+
+add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
+# (1) Enable your site for HSTS preload inclusion.
+# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

vendor/server-configs-nginx/h5bp/security/x-content-type-options.conf

@@ -0,0 +1,16 @@
+# ----------------------------------------------------------------------
+# | Content Type Options                                               |
+# ----------------------------------------------------------------------
+
+# Prevent some browsers from MIME-sniffing the response.
+#
+# This reduces exposure to drive-by download attacks and cross-origin data
+# leaks, and should be left uncommented, especially if the server is serving
+# user-uploaded content or content that could potentially be treated as
+# executable by the browser.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
+# https://mimesniff.spec.whatwg.org/
+
+add_header X-Content-Type-Options nosniff always;

vendor/server-configs-nginx/h5bp/security/x-frame-options.conf

@@ -0,0 +1,35 @@
+# ----------------------------------------------------------------------
+# | Frame Options                                                      |
+# ----------------------------------------------------------------------
+
+# Protect website against clickjacking.
+#
+# The example below sends the `X-Frame-Options` response header with the value
+# `DENY`, informing browsers not to display the content of the web page in any
+# frame.
+#
+# This might not be the best setting for everyone. You should read about the
+# other two possible values the `X-Frame-Options` header field can have:
+# `SAMEORIGIN` and `ALLOW-FROM`.
+# https://tools.ietf.org/html/rfc7034#section-2.1.
+#
+# Keep in mind that while you could send the `X-Frame-Options` header for all
+# of your website's pages, this has the potential downside that it forbids even
+# non-malicious framing of your content (e.g.: when users visit your website
+# using a Google Image Search results page).
+#
+# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
+# all pages that allow a user to make a state-changing operation (e.g: pages
+# that contain one-click purchase links, checkout or bank-transfer confirmation
+# pages, pages that make permanent configuration changes, etc.).
+#
+# Sending the `X-Frame-Options` header can also protect your website against
+# more than just clickjacking attacks.
+# https://cure53.de/xfo-clickjacking.pdf.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+# https://tools.ietf.org/html/rfc7034
+# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
+# https://www.owasp.org/index.php/Clickjacking
+
+add_header X-Frame-Options $x_frame_options always;

vendor/server-configs-nginx/h5bp/security/x-xss-protection.conf

@@ -0,0 +1,38 @@
+# ----------------------------------------------------------------------
+# | Cross-Site Scripting (XSS) Protection                              |
+# ----------------------------------------------------------------------
+
+# Protect website reflected Cross-Site Scripting (XSS) attacks.
+#
+# (1) Try to re-enable the cross-site scripting (XSS) filter built into most
+#     web browsers.
+#
+#     The filter is usually enabled by default, but in some cases, it may be
+#     disabled by the user. However, in Internet Explorer, for example, it can be
+#     re-enabled just by sending the  `X-XSS-Protection` header with the value
+#     of `1`.
+#
+# (2) Prevent web browsers from rendering the web page if a potential reflected
+#     (a.k.a non-persistent) XSS attack is detected by the filter.
+#
+#     By default, if the filter is enabled and browsers detect a reflected XSS
+#     attack, they will attempt to block the attack by making the smallest
+#     possible modifications to the returned web page.
+#
+#     Unfortunately, in some browsers (e.g.: Internet Explorer), this default
+#     behavior may allow the XSS filter to be exploited. Therefore, it's better
+#     to inform browsers to prevent the rendering of the page altogether,
+#     instead of attempting to modify it.
+#
+#     https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
+#
+# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are
+#     taking all possible measures to prevent XSS attacks, the most obvious
+#     being: validating and sanitizing your website's inputs.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
+# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
+# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
+
+add_header X-XSS-Protection $x_xss_protection always;