One feature suggestion: it'd be cool if the scanner could check for proper caching headers / gzip compression that should originate from the web server (and to show gzip bundle size).
MigrateToFlarum Lab, the health scanner for Flarum
Omg i have a D on flarum.it
- Edited
Justoverclock it's mostly due to improper server configuration 
I can also access your composer.json which you shouldn't allow public access to.
- Edited
Darkle composer.json can only be exposed if you don't use the included public folder. Our official documentation shows which lines need to be uncommented to enable additional rules for those https://docs.flarum.org/install.html#customizing-paths
clarkwinkelmann Of course! I hadn't thought about it, it's too obvious that I'm like a zombie when installing... 
- Edited
@clarkwinkelmann my htaccess is uncommented, why I have this issues?
Justoverclock if you are using Apache, check that htaccess files and mod rewrite are enabled.
If you are using Nginx, there are commented lines in the included nginx config. If you're using a different webserver, you need to write your own blacklist.
clarkwinkelmann i have sitegroud (supposed to be Apache as web server and Nginx as reverse proxy). i have uncommended line on nginx config and uncommented line on htaccess....
Justoverclock I'd suggest trying to contact your hosting support, this is something they should be able to figure out easily.
All my tool can do is tell what it can access when it shouldn't
- Edited
clarkwinkelmann i'm with support right now....
anyway i have this:
https://www.siteground.com/blog/nginx-direct-delivery/
edit: they told me that mod rewrite is enabled....
thats my htaccess:
<IfModule mod_rewrite.c>
RewriteEngine on
# Ensure the Authorization HTTP header is available to PHP
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Uncomment the following lines if you are not using a `public` directory
# to prevent sensitive resources from being exposed.
RewriteRule /\.git / [F,L]
RewriteRule ^auth\.json$ / [F,L]
RewriteRule ^composer\.(lock|json)$ / [F,L]
RewriteRule ^config.php$ / [F,L]
RewriteRule ^flarum$ / [F,L]
RewriteRule ^storage/(.*)?$ / [F,L]
RewriteRule ^vendor/(.*)?$ / [F,L]
# Pass requests that don't refer directly to files in the filesystem to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]
</IfModule>
# Disable directory listings
Options -Indexes
# MultiViews can mess up our rewriting scheme
Options -MultiViews
# The following directives are based on best practices from H5BP Apache Server Configs
# https://github.com/h5bp/server-configs-apache
# Expire rules for static content
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/atom+xml "access plus 1 hour"
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour"
ExpiresByType application/json "access plus 0 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/vnd.api+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/calendar "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds"
ExpiresByType image/vnd.microsoft.icon "access plus 1 week"
ExpiresByType image/x-icon "access plus 1 week"
ExpiresByType text/html "access plus 0 seconds"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType application/x-javascript "access plus 1 year"
ExpiresByType text/javascript "access plus 1 year"
ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"
ExpiresByType text/markdown "access plus 0 seconds"
ExpiresByType audio/ogg "access plus 1 month"
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType video/mp4 "access plus 1 month"
ExpiresByType video/ogg "access plus 1 month"
ExpiresByType video/webm "access plus 1 month"
ExpiresByType application/wasm "access plus 1 year"
ExpiresByType font/collection "access plus 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType font/eot "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month"
ExpiresByType font/otf "access plus 1 month"
ExpiresByType application/x-font-ttf "access plus 1 month"
ExpiresByType font/ttf "access plus 1 month"
ExpiresByType application/font-woff "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType font/woff2 "access plus 1 month"
ExpiresByType text/x-cross-domain-policy "access plus 1 week"
</IfModule>
# Gzip compression
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/wasm" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/collection" \
"font/eot" \
"font/opentype" \
"font/otf" \
"font/ttf" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/calendar" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/markdown" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cross-domain-policy" \
"text/xml"
</IfModule>
</IfModule>
# Fix for https://httpoxy.org vulnerability
<IfModule mod_headers.c>
RequestHeader unset Proxy
</IfModule>Justoverclock my unscientific method to troubleshooting htaccess files is to just write garbage in the <IfModule mod_rewrite.c> block. If the website returns a 500 error, it means the htaccess and rewrite mod are working. If the website doesn't crash, it means Apache is ignoring the file.
- Edited
we are into it with @[deleted] (precious help for me)
[deleted]
Justoverclock I've worked out why the rewrites aren't working. Siteground listens with NGINX, then passes back to Apache for processing. It most cases, the nginx.conf and .htaccess should do all of the work, but they are being IGNORED ! I have proven this by renaming both files, and the site still functioned even after clearing the cache 
As a workaround, I have had to configure URL security which seems to work. The grade is now capped at C, but by the time I'm done, it should be at least A
after @[deleted] tweak, now we have an A+ 
[deleted]
Here's the new result of the Flarum Lab scan
https://lab.migratetoflarum.com/scans/5d453d52-1c59-4b1e-b77c-dc3421cb2a7a
Following askvortsov suggestion, I implemented gzip support and reporting to the Lab.
This means the Lab will now accept gzip for all requests, which can potentially speed up the scan for websites hosted on slower connections or on the other side of the globe (all requests are made from a DigitalOcean Droplet in Germany).
The Lab will also show show whether gzip is supported in the "Assets size" box and how much bandwidth you are saving.
If the server doesn't support gzip, a message will appear in the same box with recommendations on how to enable it.
12 days later
The Lab has been experiencing technical issues these last few days. Not sure why yet, but it's constantly running out of memory. Might be too popular!
I'll try to move it to a new server in the coming days, so don't worry if you see it offline for a while. I'm keeping it online for now but if it gets too unstable I'll switch it to maintenance mode.
5 days later
- Edited
About this (image), I have uncommented in my nginx.conf gzip: on; the message still appears and the size of the files is the same, should I do something else? I've done some research and I can't find anything regarding file compression.
