Is there any way to reduce unused CSSs & Javascripts?

sbpt

My pagespeed score is very poor and also someone it takes long to load the forum. I'm using Hostinger Hosting & Cloudflare

Any opportunities to increase the site speed? And also Is there any way to reduce unused CSSs & Javascripts?

clarkwinkelmann

sbpt are you using many extensions?

Flarum by itself is already stripped of most features so it's difficult to make its javascript and CSS much smaller. But each extension adds a little bit and it can add up to a lot with many extensions.

The Lab can show you a breakdown of what is using space in your CSS and javascript, broken down by extension.

Also make sure you have gzip enabled on your server, this speeds up page load considerably. The Lab will also show whether this is already enabled or not.

sbpt

clarkwinkelmann I will try it soon and will inform you in a week. Thank you

sbpt

clarkwinkelmann

I tried the lab, but what htaccess rules should i use to fix these

clarkwinkelmann gzip
ya it's enabled

Hari

sbpt try this https://discuss.flarum.org/d/28164-configure-cloudflare-for-flarum-speed-and-security

sbpt

Hari I tried it,

it's kinda satisfactory in desktop devices, but still worst in mobile phones

Valeyard

sbpt I tried the lab, but what htaccess rules should i use to fix these

You just have to uncomment the line 9-15 in the supplied file:

01    <IfModule mod_rewrite.c>
02      RewriteEngine on
03    
04      # Ensure the Authorization HTTP header is available to PHP
05      RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
06    
07      # Uncomment the following lines if you are not using a `public` directory
08      # to prevent sensitive resources from being exposed.
09      # RewriteRule /\.git / [F,L]
10      # RewriteRule ^auth\.json$ / [F,L]
11      # RewriteRule ^composer\.(lock|json)$ / [F,L]
12      # RewriteRule ^config.php$ / [F,L]
13      # RewriteRule ^flarum$ / [F,L]
14      # RewriteRule ^storage/(.*)?$ / [F,L]
15      # RewriteRule ^vendor/(.*)?$ / [F,L]
16    
17      # Pass requests that don't refer directly to files in the filesystem to index.php
18      RewriteCond %{REQUEST_FILENAME} !-f
19      RewriteCond %{REQUEST_FILENAME} !-d
20      RewriteRule ^ index.php [QSA,L]
21    </IfModule>

config.php executes, so the sensitive data is inaccessible anyway (unless PHP isn't running) the rule is just to be extra cautious in case the server fails to load it as a PHP file.

sbpt

Valeyard
It workss, thankss!
Now my rating is A+ 🙂

girefko

sbpt How did you manage to get it to A+? Mine is at A

"HSTS Not found. HSTS headers prevent traffic from being downgraded to HTTP"

Valeyard

sbpt It workss, thankss!
Now my rating is A+ 🙂

To be honest with you the default behaviour should be the reverse with the line at the top saying to comment out/remove the rewrite rules if you're using the /public folder. A security audit would almost certainly concur with that finding.

I'm glad you got it set up though!

sbpt

girefko How did you manage to get it to A+?
Yes

mys

girefko HSTS Not found. HSTS headers prevent traffic from being downgraded to HTTP

HSTS tells browsers to force HTTPS even when accessing non-secure URLS on a given hostname. The HSTS header is cached by the browser over a duration specified in the response header.

How to enable HSTS?

For cloudlare users:

Go to SSL/TLS > Edge Certificates. For HTTP Strict Transport Security (HSTS), click Enable HSTS. Set the Max Age Header to 0 (Disable).

For Normal Hosting Users:

HSTS is found in different locations, in different web hosting services. Hopefully, this option may be available under SSL & TLS secrion

girefko

mys Thank you!

I was able to add this to .htaccess file:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS

girefko

girefko Update:

What worked best is this:

<if "%{HTTPS} == 'on'">
  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
</if>