From 7d5e28470e825c2dc6e9d8967973406fb500a8a1 Mon Sep 17 00:00:00 2001
From: Keegan Rankin <keegan@agaric.coop>
Date: Fri, 23 Feb 2024 13:00:13 -0800
Subject: [PATCH] Apply automatic drupal scaffolding updates

---
 web/.ht.router.php |  2 +-
 web/.htaccess      | 19 +++++++++----------
 web/robots.txt     | 10 +++++++++-
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/web/.ht.router.php b/web/.ht.router.php
index 2c8a6f6..b5884ef 100644
--- a/web/.ht.router.php
+++ b/web/.ht.router.php
@@ -39,7 +39,7 @@ if (file_exists(__DIR__ . $url['path'])) {
 // Work around the PHP bug.
 $path = $url['path'];
 $script = 'index.php';
-if (strpos($path, '.php') !== FALSE) {
+if (str_contains($path, '.php')) {
   // Work backwards through the path to check if a script exists. Otherwise
   // fallback to index.php.
   do {
diff --git a/web/.htaccess b/web/.htaccess
index 1575c51..4031da4 100644
--- a/web/.htaccess
+++ b/web/.htaccess
@@ -26,13 +26,6 @@ AddEncoding gzip svgz
 # sites/default/default.settings.php and
 # Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
 # changed at runtime.
-
-# PHP 7, Apache 1 and 2.
-<IfModule mod_php7.c>
-  php_value assert.active                   0
-</IfModule>
-
-# PHP 8, Apache 1 and 2.
 <IfModule mod_php.c>
   php_value assert.active                   0
 </IfModule>
@@ -42,8 +35,8 @@ AddEncoding gzip svgz
   # Enable expirations.
   ExpiresActive On
 
-  # Cache all files and redirects for 2 weeks after access (A).
-  ExpiresDefault A1209600
+  # Cache all files for 1 year after access.
+  ExpiresDefault "access plus 1 year"
 
   <FilesMatch \.php$>
     # Do not allow PHP scripts to be cached unless they explicitly send cache
@@ -180,7 +173,13 @@ AddEncoding gzip svgz
 
 # Various header fixes.
 <IfModule mod_headers.c>
-  # Disable content sniffing, since it's an attack vector.
+  # Disable content sniffing for all responses, since it's an attack vector.
+  # This header is also set in FinishResponseSubscriber, which depending on
+  # Apache configuration might get placed in the 'onsuccess' table. To prevent
+  # header duplication, unset that one prior to setting in the 'always' table.
+  # See "To circumvent this limitation..." in
+  # https://httpd.apache.org/docs/current/mod/mod_headers.html.
+  Header onsuccess unset X-Content-Type-Options
   Header always set X-Content-Type-Options nosniff
   # Disable Proxy header, since it's an attack vector.
   RequestHeader unset Proxy
diff --git a/web/robots.txt b/web/robots.txt
index ebcd04b..3ad8e2e 100644
--- a/web/robots.txt
+++ b/web/robots.txt
@@ -37,7 +37,15 @@ Allow: /profiles/*.svg
 Disallow: /core/
 Disallow: /profiles/
 # Files
-Disallow: /README.txt
+Disallow: /README.md
+Disallow: /composer/Metapackage/README.txt
+Disallow: /composer/Plugin/ProjectMessage/README.md
+Disallow: /composer/Plugin/Scaffold/README.md
+Disallow: /composer/Plugin/VendorHardening/README.txt
+Disallow: /composer/Template/README.txt
+Disallow: /modules/README.txt
+Disallow: /sites/README.txt
+Disallow: /themes/README.txt
 Disallow: /web.config
 # Paths (clean URLs)
 Disallow: /admin/