Improving the developer experience with configurations for Apache and IIS

Update: sonarwhal has been renamed to webhint. Check the announcement to know what else has change.

One piece of feedback we’ve received from developers is that configuring web servers is difficult, and it’s especially difficult when targeting only certain resources, or dealing with newer things such as Brotli compression where there isn’t much information available yet on how to do it.

Since helping and educating developers is among sonarwhal’s top priorities, we decided it would be best if we help with this problem by providing examples on how to best configure web servers.

Nellie studying web server configurations

So, during these last few days we’ve been researching what is possible with Apache and IIS (we don’t have examples for NGINX yet, but you can help!), and during the process, not only did we update the documentation of the rules, but also updated some of the rules.

For example, we discovered that in Apache the Server header cannot be removed (unless an external module is install). Also, many CDNs use this header to identify the location where the asset was served, so we decided to update the “Disallow certain HTTP headers” rule to allow the Server header by default, but limiting the information it contains to only the server name.

In terms of documentation, as previously specified, we updated the documentation for all rules that test for things that require web servers to be configured in a certain way, namely we updated:

• Disallow unneeded HTTP headers for non-HTML resources
• Require Content-Type HTTP response header with appropriate value
• Require resources to be served compressed
• Require highest available document mode
• HTTP Cache
• Disallow certain HTTP headers
• Require Strict-Transport-Security response header
• Require X-Content-Type-Options HTTP response header

Among the updates you can find some interesting pieces such as how to enable the web server to serve resources compressed with Brotli and Zopfli. As usual, there are many ways of solving the problem. What we propose is what we believe are the best options without installing anything (although you might need to adapt it to your specific scenario).

If you find something that is missing or have better alternatives, please share it with us on GitHub.

Cătălin Mariș & Antón Molleda