diff --git a/CHANGELOG.md b/CHANGELOG.md
index 86914f8a..cc10fefc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,33 @@
+### 4.0.0 (April 14, 2020)
+
+* 🎉 Server-level config! Support httpd configuration at main server level.
+  Add `httpd.conf` file, vhost management, secure HTTP tweaking, etc. See the [README](https://github.com/h5bp/server-configs-apache)
+  [[b50205a...c302596](https://github.com/h5bp/server-configs-apache/compare/df7857d...c302596)]
+* ⚠️ **Breaking**: End of support for Apache httpd version 2.4.9 and below
+  [[baa9cdd](https://github.com/h5bp/server-configs-apache/commit/baa9cdd5567b25d9434b06937a436ceccadb6b4c)]
+* ⚠️ **Breaking**: File paths changes for the `.htaccess` build system
+  [[478ceab](https://github.com/h5bp/server-configs-apache/commit/478ceab3a28786856a1ffcdf6a943ee43907caf0)]
+  [[9cb2763](https://github.com/h5bp/server-configs-apache/commit/9cb2763d7f5e3fce984bfdea903e9df61cdf4bcd)]
+* Rewrite, improve and update a large part of the documentation
+  [[5dc823c](https://github.com/h5bp/server-configs-apache/commit/5dc823c18e4a0ee163c2ee3b772060bce7d782e6)]
+  [[5748d26](https://github.com/h5bp/server-configs-apache/commit/5748d26258394005b4d6dbb2f8474b58ed276e95)]
+  [[d8553ee](https://github.com/h5bp/server-configs-apache/commit/d8553ee58f307419d9ec39ab8c60fc6a6e1135cb)]
+  [[6862ac1](https://github.com/h5bp/server-configs-apache/commit/6862ac17ed60042c4eb47b56c8da055e99ad4dac)]
+  [[ade3659](https://github.com/h5bp/server-configs-apache/commit/ade3659f49b5e23c93695b6888f92bfda3b3f2ed)]
+* Default to HSTS only over secure connections
+  [[5bbc0a1](https://github.com/h5bp/server-configs-apache/commit/5bbc0a1ded8b306ca900338136a50d17eb304b94)]
+* Stricter default for Referrer Policy `strict-origin-when-cross-origin`
+  [[43bcb83](https://github.com/h5bp/server-configs-apache/commit/43bcb833eb0539800e0d3e8a19ad3ef1d6944592)]
+* Add APNG (`.apng`) MIME type
+  [[ad25d31](https://github.com/h5bp/server-configs-apache/commit/ad25d3185fb28971a83e8c721567d7ce08b76f38)]
+* Ensure the presence of security headings where expected
+  [[d656422](https://github.com/h5bp/server-configs-apache/commit/d65642225cf080c15ace94816bed9f15080471b1)]
+  [[43bcb83](https://github.com/h5bp/server-configs-apache/commit/43bcb833eb0539800e0d3e8a19ad3ef1d6944592)]
+  [[d84d94c](https://github.com/h5bp/server-configs-apache/commit/d84d94c7e1e3e647a6ff3b0d29a780481a0638d8)]
+* Make disabling TRACE method usable in a `.htaccess` file
+  [[9ae931c](https://github.com/h5bp/server-configs-apache/commit/9ae931cfe5bc4fe8af0fca21094ad93d4437cfaa)]
+* Improve inline comments.
+
 ### 3.2.1 (May 8, 2019)
 
 * Fix npm releasing
diff --git a/dist/.htaccess b/dist/.htaccess
index cf054042..96b17a31 100644
--- a/dist/.htaccess
+++ b/dist/.htaccess
@@ -1,4 +1,4 @@
-# Apache Server Configs v3.2.1 | MIT License
+# Apache Server Configs v4.0.0 | MIT License
 # https://github.com/h5bp/server-configs-apache
 
 # (!) Using `.htaccess` files slows down Apache, therefore, if you have
@@ -21,6 +21,13 @@
 # https://enable-cors.org/
 # https://www.w3.org/TR/cors/
 
+# (!) Do not use this without understanding the consequences.
+#     This will permit access from any other website.
+#     Instead of using this file, consider using a specific rule such as
+#     allowing access based on (sub)domain:
+#
+#         Header set Access-Control-Allow-Origin "subdomain.example.com"
+
 # <IfModule mod_headers.c>
 #     Header set Access-Control-Allow-Origin "*"
 # </IfModule>
@@ -36,7 +43,7 @@
 
 <IfModule mod_setenvif.c>
     <IfModule mod_headers.c>
-        <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
+        <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|a?png|svgz?|webp)$">
             SetEnvIf Origin ":" IS_CORS
             Header set Access-Control-Allow-Origin "*" env=IS_CORS
         </FilesMatch>
@@ -63,10 +70,9 @@
 
 # Allow cross-origin access to the timing information for all resources.
 #
-# If a resource isn't served with a `Timing-Allow-Origin` header that
-# would allow its timing information to be shared with the document,
-# some of the attributes of the `PerformanceResourceTiming` object will
-# be set to zero.
+# If a resource isn't served with a `Timing-Allow-Origin` header that would
+# allow its timing information to be shared with the document, some of the
+# attributes of the `PerformanceResourceTiming` object will be set to zero.
 #
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
 # https://www.w3.org/TR/resource-timing/
@@ -96,8 +102,8 @@
 
 # Disable the pattern matching based on filenames.
 #
-# This setting prevents Apache from returning a 404 error as the result
-# of a rewrite when the directory with the same name does not exist.
+# This setting prevents Apache from returning a 404 error as the result of a
+# rewrite when the directory with the same name does not exist.
 #
 # https://httpd.apache.org/docs/current/content-negotiation.html#multiviews
 
@@ -117,16 +123,16 @@ Options -MultiViews
 # https://hsivonen.fi/doctype/#ie8
 #
 # (!) Starting with Internet Explorer 11, document modes are deprecated.
-# If your business still relies on older web apps and services that were
-# designed for older versions of Internet Explorer, you might want to
-# consider enabling `Enterprise Mode` throughout your company.
+#     If your business still relies on older web apps and services that were
+#     designed for older versions of Internet Explorer, you might want to
+#     consider enabling `Enterprise Mode` throughout your company.
 #
 # https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
 # https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
 # https://msdn.microsoft.com/en-us/library/ff955275.aspx
 
 <IfModule mod_headers.c>
-    Header set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+    Header always set X-UA-Compatible "IE=edge" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
 </IfModule>
 
 # ######################################################################
@@ -182,8 +188,8 @@ Options -MultiViews
     AddType video/webm                                  webm
     AddType video/x-flv                                 flv
 
-    # Serving `.ico` image files with a different media type
-    # prevents Internet Explorer from displaying them as images:
+    # Serving `.ico` image files with a different media type prevents
+    # Internet Explorer from displaying them as images:
     # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
 
     AddType image/x-icon                                cur ico
@@ -224,8 +230,8 @@ Options -MultiViews
 # | Character encodings                                                |
 # ----------------------------------------------------------------------
 
-# Serve all resources labeled as `text/html` or `text/plain`
-# with the media type `charset` parameter set to `UTF-8`.
+# Serve all resources labeled as `text/html` or `text/plain` with the media type
+# `charset` parameter set to `UTF-8`.
 #
 # https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset
 
@@ -233,8 +239,8 @@ AddDefaultCharset utf-8
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
-# Serve the following file types with the media type `charset`
-# parameter set to `UTF-8`.
+# Serve the following file types with the media type `charset` parameter set to
+# `UTF-8`.
 #
 # https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset
 
@@ -267,8 +273,8 @@ AddDefaultCharset utf-8
 # | Rewrite engine                                                     |
 # ----------------------------------------------------------------------
 
-# (1) Turn on the rewrite engine (this is necessary in order for
-#     the `RewriteRule` directives to work).
+# (1) Turn on the rewrite engine (this is necessary in order for the
+#     `RewriteRule` directives to work).
 #
 #     https://httpd.apache.org/docs/current/mod/mod_rewrite.html#RewriteEngine
 #
@@ -276,10 +282,10 @@ AddDefaultCharset utf-8
 #
 #     https://httpd.apache.org/docs/current/mod/core.html#options
 #
-# (3) If your web host doesn't allow the `FollowSymlinks` option,
-#     you need to comment it out or remove it, and then uncomment
-#     the `Options +SymLinksIfOwnerMatch` line (4), but be aware
-#     of the performance impact.
+# (3) If your web host doesn't allow the `FollowSymlinks` option, you need to
+#     comment it out or remove it, and then uncomment the
+#     `Options +SymLinksIfOwnerMatch` line (4), but be aware of the performance
+#     impact.
 #
 #     https://httpd.apache.org/docs/current/misc/perf-tuning.html#symlinks
 #
@@ -288,14 +294,10 @@ AddDefaultCharset utf-8
 #     https://www.rackspace.com/knowledge_center/frequently-asked-question/why-is-modrewrite-not-working-on-my-site
 #     https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewritebase
 #
-# (5) Depending on how your server is set up, you may also need to
-#     use the `RewriteOptions` directive to enable some options for
-#     the rewrite engine.
+# (5) Depending on how your server is set up, you may also need to use the
+#     `RewriteOptions` directive to enable some options for the rewrite engine.
 #
 #     https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions
-#
-# (6) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
-#     appropriate schema automatically (http or https).
 
 <IfModule mod_rewrite.c>
 
@@ -314,12 +316,6 @@ AddDefaultCharset utf-8
     # (5)
     # RewriteOptions <options>
 
-    # (6)
-    RewriteCond %{HTTPS} =on
-    RewriteRule ^ - [env=proto:https]
-    RewriteCond %{HTTPS} !=on
-    RewriteRule ^ - [env=proto:http]
-
 </IfModule>
 
 # ----------------------------------------------------------------------
@@ -330,10 +326,9 @@ AddDefaultCharset utf-8
 #
 # https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
 
-# (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot
-#     method it will fail to validate the certificate if validation
-#     requests are redirected to HTTPS. Turn on the condition(s)
-#     you need.
+# (1) If you're using cPanel AutoSSL or the Let's Encrypt webroot method it
+#     will fail to validate the certificate if validation requests are
+#     redirected to HTTPS. Turn on the condition(s) you need.
 #
 #     https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml
 #     https://tools.ietf.org/html/draft-ietf-acme-acme-12
@@ -354,27 +349,39 @@ AddDefaultCharset utf-8
 
 # Rewrite www.example.com → example.com
 
-# The same content should never be available under two different
-# URLs, especially not with and without `www.` at the beginning.
-# This can cause SEO problems (duplicate content), and therefore,
-# you should choose one of the alternatives and redirect the other
-# one.
+# The same content should never be available under two different URLs,
+# especially not with and without `www.` at the beginning.
+# This can cause SEO problems (duplicate content), and therefore, you should
+# choose one of the alternatives and redirect the other one.
 #
 # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
 
-# (1) The rule assumes by default that both HTTP and HTTPS
-#     environments are available for redirection.
-#     If your SSL certificate could not handle one of the domains
-#     used during redirection, you should turn the condition on.
+# (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
+#     appropriate schema automatically (http or https).
+#
+# (2) The rule assumes by default that both HTTP and HTTPS environments are
+#     available for redirection.
+#     If your SSL certificate could not handle one of the domains used during
+#     redirection, you should turn the condition on.
 #
 #     https://github.com/h5bp/server-configs-apache/issues/52
 
 <IfModule mod_rewrite.c>
+
     RewriteEngine On
+
     # (1)
+    RewriteCond %{HTTPS} =on
+    RewriteRule ^ - [E=PROTO:https]
+    RewriteCond %{HTTPS} !=on
+    RewriteRule ^ - [E=PROTO:http]
+
+    # (2)
     # RewriteCond %{HTTPS} !=on
+
     RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
     RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
+
 </IfModule>
 
 # ----------------------------------------------------------------------
@@ -383,18 +390,20 @@ AddDefaultCharset utf-8
 
 # Rewrite example.com → www.example.com
 
-# The same content should never be available under two different
-# URLs, especially not with and without `www.` at the beginning.
-# This can cause SEO problems (duplicate content), and therefore,
-# you should choose one of the alternatives and redirect the other
-# one.
+# The same content should never be available under two different URLs,
+# especially not with and without `www.` at the beginning.
+# This can cause SEO problems (duplicate content), and therefore, you should
+# choose one of the alternatives and redirect the other one.
 #
 # (!) NEVER USE BOTH WWW-RELATED RULES AT THE SAME TIME!
 
-# (1) The rule assumes by default that both HTTP and HTTPS
-#     environments are available for redirection.
-#     If your SSL certificate could not handle one of the domains
-#     used during redirection, you should turn the condition on.
+# (1) Set %{ENV:PROTO} variable, to allow rewrites to redirect with the
+#     appropriate schema automatically (http or https).
+#
+# (2) The rule assumes by default that both HTTP and HTTPS environments are
+#     available for redirection.
+#     If your SSL certificate could not handle one of the domains used during
+#     redirection, you should turn the condition on.
 #
 #     https://github.com/h5bp/server-configs-apache/issues/52
 
@@ -402,13 +411,23 @@ AddDefaultCharset utf-8
 # subdomains for certain parts of your website.
 
 # <IfModule mod_rewrite.c>
+
 #     RewriteEngine On
+
 #     # (1)
+#     RewriteCond %{HTTPS} =on
+#     RewriteRule ^ - [E=PROTO:https]
+#     RewriteCond %{HTTPS} !=on
+#     RewriteRule ^ - [E=PROTO:http]
+
+#     # (2)
 #     # RewriteCond %{HTTPS} !=on
+
 #     RewriteCond %{HTTP_HOST} !^www\. [NC]
 #     RewriteCond %{SERVER_ADDR} !=127.0.0.1
 #     RewriteCond %{SERVER_ADDR} !=::1
 #     RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+
 # </IfModule>
 
 # ######################################################################
@@ -416,33 +435,32 @@ AddDefaultCharset utf-8
 # ######################################################################
 
 # ----------------------------------------------------------------------
-# | Clickjacking                                                       |
+# | Frame Options                                                      |
 # ----------------------------------------------------------------------
 
 # Protect website against clickjacking.
 #
-# The example below sends the `X-Frame-Options` response header with
-# the value `DENY`, informing browsers not to display the content of
-# the web page in any frame.
+# The example below sends the `X-Frame-Options` response header with the value
+# `DENY`, informing browsers not to display the content of the web page in any
+# frame.
 #
-# This might not be the best setting for everyone. You should read
-# about the other two possible values the `X-Frame-Options` header
-# field can have: `SAMEORIGIN` and `ALLOW-FROM`.
+# This might not be the best setting for everyone. You should read about the
+# other two possible values the `X-Frame-Options` header field can have:
+# `SAMEORIGIN` and `ALLOW-FROM`.
 # https://tools.ietf.org/html/rfc7034#section-2.1.
 #
-# Keep in mind that while you could send the `X-Frame-Options` header
-# for all of your website’s pages, this has the potential downside that
-# it forbids even non-malicious framing of your content (e.g.: when
-# users visit your website using a Google Image Search results page).
+# Keep in mind that while you could send the `X-Frame-Options` header for all
+# of your website’s pages, this has the potential downside that it forbids even
+# non-malicious framing of your content (e.g.: when users visit your website
+# using a Google Image Search results page).
 #
-# Nonetheless, you should ensure that you send the `X-Frame-Options`
-# header for all pages that allow a user to make a state changing
-# operation (e.g: pages that contain one-click purchase links, checkout
-# or bank-transfer confirmation pages, pages that make permanent
-# configuration changes, etc.).
+# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
+# all pages that allow a user to make a state-changing operation (e.g: pages
+# that contain one-click purchase links, checkout or bank-transfer confirmation
+# pages, pages that make permanent configuration changes, etc.).
 #
-# Sending the `X-Frame-Options` header can also protect your website
-# against more than just clickjacking attacks:
+# Sending the `X-Frame-Options` header can also protect your website against
+# more than just clickjacking attacks.
 # https://cure53.de/xfo-clickjacking.pdf.
 #
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
@@ -451,7 +469,7 @@ AddDefaultCharset utf-8
 # https://www.owasp.org/index.php/Clickjacking
 
 # <IfModule mod_headers.c>
-#     Header set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+#     Header always set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
 # </IfModule>
 
 # ----------------------------------------------------------------------
@@ -461,54 +479,60 @@ AddDefaultCharset utf-8
 # Mitigate the risk of cross-site scripting and other content-injection
 # attacks.
 #
-# This can be done by setting a `Content Security Policy` which
-# whitelists trusted sources of content for your website.
+# This can be done by setting a `Content Security Policy` which whitelists
+# trusted sources of content for your website.
 #
-# There is no policy that fits all websites, you will have to modify
-# the `Content-Security-Policy` directives in the example below depending
-# on your needs.
+# There is no policy that fits all websites, you will have to modify the
+# `Content-Security-Policy` directives in the example depending on your needs.
 #
 # The example policy below aims to:
 #
-#  (1) Restrict all fetches by default to the origin of the current website
-#      by setting the `default-src` directive to `'self'` - which acts as a
+#  (1) Restrict all fetches by default to the origin of the current website by
+#      setting the `default-src` directive to `'self'` - which acts as a
 #      fallback to all "Fetch directives" (https://developer.mozilla.org/en-US/docs/Glossary/Fetch_directive).
 #
 #      This is convenient as you do not have to specify all Fetch directives
 #      that apply to your site, for example:
 #      `connect-src 'self'; font-src 'self'; script-src 'self'; style-src 'self'`, etc.
 #
-#      This restriction also means that you must explicitly define from
-#      which site(s) your website is allowed to load resources from.
+#      This restriction also means that you must explicitly define from which
+#      site(s) your website is allowed to load resources from.
 #
-#  (2) The `<base>` element is not allowed on the website. This is to
-#      prevent attackers from changing the locations of resources loaded
-#      from relative URLs.
+#  (2) The `<base>` element is not allowed on the website. This is to prevent
+#      attackers from changing the locations of resources loaded from relative
+#      URLs.
 #
-#      If you want to use the `<base>` element, then `base-uri 'self'`
-#      can be used instead.
+#      If you want to use the `<base>` element, then `base-uri 'self'` can be
+#      used instead.
 #
-#  (3) Form submissions are only allowed from the current website by
-#      setting: `form-action 'self'`.
+#  (3) Form submissions are only allowed from the current website by setting:
+#      `form-action 'self'`.
 #
-#  (4) Prevents all websites (including your own) from embedding your
-#      webpages within e.g. the `<iframe>` or `<object>` element by
-#      setting `frame-ancestors 'none'`.
+#  (4) Prevents all websites (including your own) from embedding your webpages
+#      within e.g. the `<iframe>` or `<object>` element by setting:
+#      `frame-ancestors 'none'`.
 #
-#	   The `frame-ancestors` directive helps avoid "Clickjacking" attacks
-#      and is similar to the `X-Frame-Options` header.
+#      The `frame-ancestors` directive helps avoid "Clickjacking" attacks and
+#      is similar to the `X-Frame-Options` header.
 #
-#      Browsers that support the CSP header will ignore `X-Frame-Options`
-#      if `frame-ancestors` is also specified.
+#      Browsers that support the CSP header will ignore `X-Frame-Options` if
+#      `frame-ancestors` is also specified.
 #
-#  (5) Forces the browser to treat all the resources that are served over
-#      HTTP as if they were loaded securely over HTTPS by setting the
+#  (5) Forces the browser to treat all the resources that are served over HTTP
+#      as if they were loaded securely over HTTPS by setting the
 #      `upgrade-insecure-requests` directive.
 #
-#      Please note that `upgrade-insecure-requests` does not ensure
-#      HTTPS for the top-level navigation. If you want to force the
-#      website itself to be loaded over HTTPS you must include the
-#      `Strict-Transport-Security` header.
+#      Please note that `upgrade-insecure-requests` does not ensure HTTPS for
+#      the top-level navigation. If you want to force the website itself to be
+#      loaded over HTTPS you must include the `Strict-Transport-Security`
+#      header.
+#
+#  (6) The `Content-Security-Policy` header is included in all responses
+#      that are able to execute scripting. This includes the commonly used
+#      file types: HTML, XML and PDF documents. Although Javascript files
+#      can not execute script in a "browsing context", they are still included
+#      to target workers:
+#      https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#CSP_in_workers
 #
 # To make your CSP implementation easier, you can use an online CSP header
 # generator such as:
@@ -524,8 +548,8 @@ AddDefaultCharset utf-8
 # https://www.w3.org/TR/CSP/
 
 # <IfModule mod_headers.c>
-#     #                                   (1)                 (2)              (3)                 (4)                     (5)
-#     Header set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+#     #                                   (1)                 (2)              (3)                 (4)                     (5)                         (6)
+#     Header always set Content-Security-Policy "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests" "expr=%{CONTENT_TYPE} =~ m#text\/(html|javascript)|application\/pdf|xml#i"
 # </IfModule>
 
 # ----------------------------------------------------------------------
@@ -534,9 +558,9 @@ AddDefaultCharset utf-8
 
 # Block access to directories without a default document.
 #
-# You should leave the following uncommented, as you shouldn't allow
-# anyone to surf through every directory on your server (which may
-# includes rather private places such as the CMS's directories).
+# You should leave the following uncommented, as you shouldn't allow anyone to
+# surf through every directory on your server (which may includes rather
+# private places such as the CMS's directories).
 
 <IfModule mod_autoindex.c>
     Options -Indexes
@@ -544,17 +568,17 @@ AddDefaultCharset utf-8
 
 # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
-# Block access to all hidden files and directories with the exception of
-# the visible content from within the `/.well-known/` hidden directory.
+# Block access to all hidden files and directories with the exception of the
+# visible content from within the `/.well-known/` hidden directory.
 #
-# These types of files usually contain user preferences or the preserved
-# state of an utility, and can include rather private places like, for
-# example, the `.git` or `.svn` directories.
+# These types of files usually contain user preferences or the preserved state
+# of a utility, and can include rather private places like, for example, the
+# `.git` or `.svn` directories.
 #
-# The `/.well-known/` directory represents the standard (RFC 5785) path
-# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
-# `/.well-known/keybase.txt`), and therefore, access to its visible
-# content should not be blocked.
+# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
+# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
+# `/.well-known/keybase.txt`), and therefore, access to its visible content
+# should not be blocked.
 #
 # https://www.mnot.net/blog/2010/04/07/well-known
 # https://tools.ietf.org/html/rfc5785
@@ -571,17 +595,16 @@ AddDefaultCharset utf-8
 
 # Block access to files that can expose sensitive information.
 #
-# By default, block access to backup and source files that may be
-# left by some text editors and can pose a security risk when anyone
-# has access to them.
+# By default, block access to backup and source files that may be left by some
+# text editors and can pose a security risk when anyone has access to them.
 #
 # https://feross.org/cmsploit/
 #
-# (!) Update the `<FilesMatch>` regular expression from below to
-# include any files that might end up on your production server and
-# can expose sensitive information about your website. These files may
-# include: configuration files, files that contain metadata about the
-# project (e.g.: project dependencies), build scripts, etc..
+# (!) Update the `<FilesMatch>` regular expression from below to include any
+#     files that might end up on your production server and can expose
+#     sensitive information about your website. These files may include:
+#     configuration files, files that contain metadata about the project (e.g.:
+#     project dependencies, build scripts, etc.).
 
 <IfModule mod_authz_core.c>
     <FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$">
@@ -593,102 +616,93 @@ AddDefaultCharset utf-8
 # | HTTP Strict Transport Security (HSTS)                              |
 # ----------------------------------------------------------------------
 
-# Force client-side SSL redirection.
-#
-# If a user types `example.com` in their browser, even if the server
-# redirects them to the secure version of the website, that still leaves
-# a window of opportunity (the initial HTTP connection) for an attacker
-# to downgrade or redirect the request.
+# Force client-side TLS (Transport Layer Security) redirection.
 #
-# The following header ensures that browser will ONLY connect to your
-# server via HTTPS, regardless of what the users type in the browser's
-# address bar.
+# If a user types `example.com` in their browser, even if the server redirects
+# them to the secure version of the website, that still leaves a window of
+# opportunity (the initial HTTP connection) for an attacker to downgrade or
+# redirect the request.
 #
-# (!) Be aware that this, once published, is not revokable and you must ensure
-# being able to serve the site via SSL for the duration you've specified
-# in max-age. When you don't have a valid SSL connection (anymore) your
-# visitors will see a nasty error message even when attempting to connect
-# via simple HTTP.
+# The following header ensures that browser only connects to your server
+# via HTTPS, regardless of what the users type in the browser's address bar.
 #
-# (!) Remove the `includeSubDomains` optional directive if the website's
-# subdomains are not using HTTPS.
+# (!) Be aware that Strict Transport Security is not revokable and you
+#     must ensure being able to serve the site over HTTPS for the duration
+#     you've specified in the `max-age` directive. When you don't have a
+#     valid TLS connection anymore (e.g. due to an expired TLS cerfiticate)
+#     your visitors will see a nasty error message even when attempting to
+#     connect over HTTP.
 #
-# (1) If you want to submit your site for HSTS preload (2) you must
-#     * ensure the `includeSubDomains` directive to be present
-#     * the `preload` directive to be specified
-#     * the `max-age` to be at least 31536000 seconds (1 year) according to the current status.
+# (1) Preloading Strict Transport Security.
+#     To submit your site for HSTS preloading, it is required that:
+#     * the `includeSubDomains` directive is specified
+#     * the `preload` directive is specified
+#     * the `max-age` is specified with a value of at least 31536000 seconds
+#       (1 year).
+#     https://hstspreload.org/#deployment-recommendations
 #
-#     It is also advised (3) to only serve the HSTS header via a secure connection
-#     which can be done with either `env=https` or `"expr=%{HTTPS} == 'on'"` (4). The
-#     exact way depends on your environment and might just be tried.
-#
-# (2) https://hstspreload.org/
-# (3) https://tools.ietf.org/html/rfc6797#section-7.2
-# (4) https://stackoverflow.com/questions/24144552/how-to-set-hsts-header-from-htaccess-only-on-https/24145033#comment81632711_24145033
-#
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # https://tools.ietf.org/html/rfc6797#section-6.1
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
 # https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
+# https://hstspreload.org/
 
 # <IfModule mod_headers.c>
-#     Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains"
-#     # (1) or if HSTS preloading is desired (respect (2) for current requirements):
-#     # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
-#     # (4) respectively… (respect (2) for current requirements):
+#     Header always set Strict-Transport-Security "max-age=16070400; includeSubDomains" "expr=%{HTTPS} == 'on'"
+#     # (1) Enable your site for HSTS preload inclusion.
 #     # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
 # </IfModule>
 
 # ----------------------------------------------------------------------
-# | Reducing MIME type security risks                                  |
+# | Content Type Options                                               |
 # ----------------------------------------------------------------------
 
 # Prevent some browsers from MIME-sniffing the response.
 #
-# This reduces exposure to drive-by download attacks and cross-origin
-# data leaks, and should be left uncommented, especially if the server
-# is serving user-uploaded content or content that could potentially be
-# treated as executable by the browser.
+# This reduces exposure to drive-by download attacks and cross-origin data
+# leaks, and should be left uncommented, especially if the server is serving
+# user-uploaded content or content that could potentially be treated as
+# executable by the browser.
 #
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
 # https://mimesniff.spec.whatwg.org/
 
 <IfModule mod_headers.c>
-    Header set X-Content-Type-Options "nosniff"
+    Header always set X-Content-Type-Options "nosniff"
 </IfModule>
 
 # ----------------------------------------------------------------------
-# | Reflected Cross-Site Scripting (XSS) attacks                       |
+# | Cross-Site Scripting (XSS) Protection                              |
 # ----------------------------------------------------------------------
 
-# (1) Try to re-enable the cross-site scripting (XSS) filter built
-#     into most web browsers.
+# Protect website reflected Cross-Site Scripting (XSS) attacks.
+#
+# (1) Try to re-enable the cross-site scripting (XSS) filter built into most
+#     web browsers.
 #
-#     The filter is usually enabled by default, but in some cases it
-#     may be disabled by the user. However, in Internet Explorer for
-#     example, it can be re-enabled just by sending the
-#     `X-XSS-Protection` header with the value of `1`.
+#     The filter is usually enabled by default, but in some cases it may be
+#     disabled by the user. However, in Internet Explorer for example, it can be
+#     re-enabled just by sending the  `X-XSS-Protection` header with the value
+#     of `1`.
 #
-# (2) Prevent web browsers from rendering the web page if a potential
-#     reflected (a.k.a non-persistent) XSS attack is detected by the
-#     filter.
+# (2) Prevent web browsers from rendering the web page if a potential reflected
+#     (a.k.a non-persistent) XSS attack is detected by the filter.
 #
-#     By default, if the filter is enabled and browsers detect a
-#     reflected XSS attack, they will attempt to block the attack
-#     by making the smallest possible modifications to the returned
-#     web page.
+#     By default, if the filter is enabled and browsers detect a reflected XSS
+#     attack, they will attempt to block the attack by making the smallest
+#     possible modifications to the returned web page.
 #
-#     Unfortunately, in some browsers (e.g.: Internet Explorer),
-#     this default behavior may allow the XSS filter to be exploited,
-#     thereby, it's better to inform browsers to prevent the rendering
-#     of the page altogether, instead of attempting to modify it.
+#     Unfortunately, in some browsers (e.g.: Internet Explorer), this default
+#     behavior may allow the XSS filter to be exploited. Therefore, it's better
+#     to inform browsers to prevent the rendering of the page altogether,
+#     instead of attempting to modify it.
 #
 #     https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
 #
-# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
-#     you are taking all possible measures to prevent XSS attacks, the
-#     most obvious being: validating and sanitizing your website's inputs.
+# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are
+#     taking all possible measures to prevent XSS attacks, the most obvious
+#     being: validating and sanitizing your website's inputs.
 #
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
@@ -697,33 +711,34 @@ AddDefaultCharset utf-8
 
 # <IfModule mod_headers.c>
 #     #                           (1)    (2)
-#     Header set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+#     Header always set X-XSS-Protection "1; mode=block" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
 # </IfModule>
 
 # ----------------------------------------------------------------------
 # | Referrer Policy                                                    |
 # ----------------------------------------------------------------------
 
-# A web application uses HTTPS and a URL-based session identifier.
-# The web application might wish to link to HTTPS resources on other
-# web sites without leaking the user's session identifier in the URL.
+# Set a strict Referrer Policy to mitigate information leakage.
+#
+# (1) The `Referrer-Policy` header is included in responses for resources
+#     that are able to request (or navigate to) other resources.
 #
-# This can be done by setting a `Referrer Policy` which
-# whitelists trusted sources of content for your website.
+#     This includes the commonly used resource types:
+#     HTML, CSS, XML/SVG, PDF documents, scripts and workers.
 #
-# To check your referrer policy, you can use an online service
-# such as: https://securityheaders.io/.
+# To prevent referrer leakage entirely, specify the `no-referrer` value
+# instead. Note that the effect could impact analytics metrics negatively.
+#
+# To check your Referrer Policy, you can use an online service, such as:
+# https://securityheaders.com/
+# https://observatory.mozilla.org/
 #
 # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
 
 # <IfModule mod_headers.c>
-#     # no-referrer-when-downgrade (default)
-#     # This should be the user agent's default behavior if no policy is
-#     # specified.The origin is sent as referrer to a-priori as-much-secure
-#     # destination (HTTPS->HTTPS), but isn't sent to a less secure destination
-#     # (HTTPS->HTTP).
-#     Header set Referrer-Policy "no-referrer-when-downgrade" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
+#     #                                                             (1)
+#     Header always set Referrer-Policy "strict-origin-when-cross-origin" "expr=%{CONTENT_TYPE} =~ m#text\/(css|html|javascript)|application\/pdf|xml#i"
 # </IfModule>
 
 # ----------------------------------------------------------------------
@@ -732,22 +747,26 @@ AddDefaultCharset utf-8
 
 # Prevent Apache from responding to `TRACE` HTTP request.
 #
-# The TRACE method, while apparently harmless, can be successfully
-# leveraged in some scenarios to steal legitimate users' credentials
+# The TRACE method, while apparently harmless, can be successfully leveraged
+# in some scenarios to steal legitimate users' credentials.
 #
 # Modern browsers now prevent TRACE requests being made via JavaScript,
 # however, other ways of sending TRACE requests with browsers have been
 # discovered, such as using Java.
 #
-# (!) The `TraceEnable` directive will only work in the main server
-# configuration file, so don't try to enable it in the `.htaccess` file!
+# (!) If you have access to the main server configuration file, use the
+#     `TraceEnable` directive instead.
 #
 # https://tools.ietf.org/html/rfc7231#section-4.3.8
 # https://www.owasp.org/index.php/Cross_Site_Tracing
 # https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
 # https://httpd.apache.org/docs/current/mod/core.html#traceenable
 
-# TraceEnable Off
+# <IfModule mod_rewrite.c>
+#     RewriteEngine On
+#     RewriteCond %{REQUEST_METHOD} ^TRACE [NC]
+#     RewriteRule .* - [R=405,L]
+# </IfModule>
 
 # ----------------------------------------------------------------------
 # | Server-side technology information                                 |
@@ -755,17 +774,16 @@ AddDefaultCharset utf-8
 
 # Remove the `X-Powered-By` response header that:
 #
-#  * is set by some frameworks and server-side languages
-#    (e.g.: ASP.NET, PHP), and its value contains information
-#    about them (e.g.: their name, version number)
+#  * is set by some frameworks and server-side languages (e.g.: ASP.NET, PHP),
+#    and its value contains information about them (e.g.: their name, version
+#    number)
 #
-#  * doesn't provide any value to users, contributes to header
-#    bloat, and in some cases, the information it provides can
-#    expose vulnerabilities
+#  * doesn't provide any value to users, contributes to header bloat, and in
+#    some cases, the information it provides can expose vulnerabilities
 #
 # (!) If you can, you should disable the `X-Powered-By` header from the
-# language / framework level (e.g.: for PHP, you can do that by setting
-# `expose_php = off` in `php.ini`)
+#     language / framework level (e.g.: for PHP, you can do that by setting
+#     `expose_php = off` in `php.ini`).
 #
 # https://php.net/manual/en/ini.core.php#ini.expose-php
 
@@ -778,27 +796,14 @@ AddDefaultCharset utf-8
 # | Server software information                                        |
 # ----------------------------------------------------------------------
 
-# Prevent Apache from adding a trailing footer line containing
-# information about the server to the server-generated documents
-# (e.g.: error messages, directory listings, etc.)
+# Prevent Apache from adding a trailing footer line containing information
+# about the server to the server-generated documents (e.g.: error messages,
+# directory listings, etc.).
 #
 # https://httpd.apache.org/docs/current/mod/core.html#serversignature
 
 ServerSignature Off
 
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-# Prevent Apache from sending in the `Server` response header its
-# exact version number, the description of the generic OS-type or
-# information about its compiled-in modules.
-#
-# (!) The `ServerTokens` directive will only work in the main server
-# configuration file, so don't try to enable it in the `.htaccess` file!
-#
-# https://httpd.apache.org/docs/current/mod/core.html#servertokens
-
-# ServerTokens Prod
-
 # ######################################################################
 # # WEB PERFORMANCE                                                    #
 # ######################################################################
@@ -847,6 +852,7 @@ ServerSignature Off
                                       "font/eot" \
                                       "font/opentype" \
                                       "font/otf" \
+                                      "font/ttf" \
                                       "image/bmp" \
                                       "image/svg+xml" \
                                       "image/vnd.microsoft.icon" \
@@ -868,16 +874,15 @@ ServerSignature Off
 
     # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
-    # Map the following filename extensions to the specified
-    # encoding type in order to make Apache serve the file types
-    # with the appropriate `Content-Encoding` response header
-    # (do note that this will NOT make Apache compress them!).
+    # Map the following filename extensions to the specified encoding type in
+    # order to make Apache serve the file types with the appropriate
+    # `Content-Encoding` response header (do note that this will NOT make
+    # Apache compress them!).
     #
     # If these files types would be served without an appropriate
-    # `Content-Enable` response header, client applications (e.g.:
-    # browsers) wouldn't know that they first need to uncompress
-    # the response, and thus, wouldn't be able to understand the
-    # content.
+    # `Content-Encoding` response header, client applications (e.g.: browsers)
+    # wouldn't know that they first need to uncompress the response, and thus,
+    # wouldn't be able to understand the content.
     #
     # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
     # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
@@ -892,15 +897,14 @@ ServerSignature Off
 # | Brotli pre-compressed content                                      |
 # ----------------------------------------------------------------------
 
-# Serve brotli compressed CSS, JS, HTML, SVG, ICS and JSON files
-# if they exist and if the client accepts br encoding.
+# Serve brotli compressed CSS, JS, HTML, SVG, ICS and JSON files if they exist
+# and if the client accepts br encoding.
 #
-# (!) To make this part relevant, you need to generate encoded
-# files by your own. Enabling this part will not auto-generate
-# brotlied files.
+# (!) To make this part relevant, you need to generate encoded files by your
+#     own. Enabling this part will not auto-generate brotlied files.
 #
-# Note that some clients (eg. browsers) require a secure connection
-# to request brotli-compressed resources.
+# Note that some clients (eg. browsers) require a secure connection to request
+# brotli-compressed resources.
 # https://www.chromestatus.com/feature/5420797577396224
 #
 # https://httpd.apache.org/docs/current/mod/mod_brotli.html#precompressed
@@ -946,21 +950,19 @@ ServerSignature Off
 # | GZip pre-compressed content                                        |
 # ----------------------------------------------------------------------
 
-# Serve gzip compressed CSS, JS, HTML, SVG, ICS and JSON files
-# if they exist and if the client accepts gzip encoding.
+# Serve gzip compressed CSS, JS, HTML, SVG, ICS and JSON files if they exist
+# and if the client accepts gzip encoding.
 #
-# (!) To make this part relevant, you need to generate encoded
-# files by your own. Enabling this part will not auto-generate
-# gziped files.
+# (!) To make this part relevant, you need to generate encoded files by your
+#     own. Enabling this part will not auto-generate gziped files.
 #
 # https://httpd.apache.org/docs/current/mod/mod_deflate.html#precompressed
 #
-# (1)
-# Removing default MIME Type for .gz files allowing to add custom
-# sub-types.
-# You may prefer using less generic extensions such as .html_gz in
-# order to keep default behavior regarding .gz files.
-# https://httpd.apache.org/docs/current/mod/mod_mime.html#removetype
+# (1) Removing default MIME Type for .gz files allowing to add custom
+#     sub-types.
+#     You may prefer using less generic extensions such as .html_gz in order to
+#     keep default behavior regarding .gz files.
+#     https://httpd.apache.org/docs/current/mod/mod_mime.html#removetype
 
 # <IfModule mod_headers.c>
 
@@ -1007,20 +1009,29 @@ ServerSignature Off
 # | Content transformation                                             |
 # ----------------------------------------------------------------------
 
-# Prevent intermediate caches or proxies (e.g.: such as the ones
-# used by mobile network providers) from modifying the website's
-# content.
+# Prevent intermediate caches or proxies (such as those used by mobile
+# network providers) and browsers data-saving features from modifying
+# the website's content using the `cache-control: no-transform` directive.
 #
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
-# https://tools.ietf.org/html/rfc2616#section-14.9.5
+# https://tools.ietf.org/html/rfc7234#section-5.2.2.4
+#
+# (!) Carefully consider the impact on your visitors before disabling
+#     content transformation. These transformations are performed to
+#     improve the experience for data- and cost-constrained users
+#     (e.g. users on a 2G connection).
+#
+#     You can test the effects of content transformation applied by
+#     Google's Lite Mode by visiting: https://googleweblight.com/i?u=https://www.example.com
 #
-# (!) If you are using `mod_pagespeed`, please note that setting
-# the `Cache-Control: no-transform` response header will prevent
-# `PageSpeed` from rewriting `HTML` files, and, if the
-# `ModPagespeedDisableRewriteOnNoTransform` directive isn't set
-# to `off`, also from rewriting other resources.
+#     https://support.google.com/webmasters/answer/6211428
 #
-# https://developers.google.com/speed/pagespeed/module/configuration#notransform
+# (!) If you are using `mod_pagespeed`, note that disabling this will
+#     prevent `PageSpeed` from rewriting HTML files, and, if the
+#     `ModPagespeedDisableRewriteOnNoTransform` directive isn't set to
+#     `off`, also from rewriting other resources.
+#
+#     https://developers.google.com/speed/pagespeed/module/configuration#notransform
 
 # <IfModule mod_headers.c>
 #     Header merge Cache-Control "no-transform"
@@ -1049,9 +1060,8 @@ FileETag None
 
 # Serve resources with far-future expiration date.
 #
-# (!) If you don't control versioning with filename-based
-# cache busting, you should consider lowering the cache times
-# to something like one week.
+# (!) If you don't control versioning with filename-based cache busting, you
+# should consider lowering the cache times to something like one week.
 #
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
@@ -1114,6 +1124,7 @@ FileETag None
   # Media files
 
     ExpiresByType audio/ogg                             "access plus 1 month"
+    ExpiresByType image/apng                            "access plus 1 month"
     ExpiresByType image/bmp                             "access plus 1 month"
     ExpiresByType image/gif                             "access plus 1 month"
     ExpiresByType image/jpeg                            "access plus 1 month"
@@ -1169,16 +1180,13 @@ FileETag None
 
 # Allow concatenation from within specific files.
 #
-# e.g.:
-#
-#   If you have the following lines in a file called, for
-#   example, `main.combined.js`:
+# If you have the following lines in a file called, for example,
+# `main.combined.js`:
 #
-#       <!--#include file="js/jquery.js" -->
-#       <!--#include file="js/jquery.timer.js" -->
+#     <!--#include file="js/jquery.js" -->
+#     <!--#include file="js/jquery.timer.js" -->
 #
-#   Apache will replace those lines with the content of the
-#   specified files.
+# Apache will replace those lines with the content of the specified files.
 
 # <IfModule mod_include.c>
 
@@ -1202,17 +1210,16 @@ FileETag None
 # | Filename-based cache busting                                       |
 # ----------------------------------------------------------------------
 
-# If you're not using a build process to manage your filename version
-# revving, you might want to consider enabling the following directives
-# to route all requests such as `/style.12345.css` to `/style.css`.
+# If you're not using a build process to manage your filename version revving,
+# you might want to consider enabling the following directives.
 #
-# To understand why this is important and even a better solution than
-# using something like `*.css?v231`, please see:
+# To understand why this is important and even a better solution than using
+# something like `*.css?v231`, please see:
 # https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
 
 # <IfModule mod_rewrite.c>
 #     RewriteEngine On
 #     RewriteCond %{REQUEST_FILENAME} !-f
-#     RewriteRule ^(.+)\.(\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ $1.$3 [L]
+#     RewriteRule ^(.+)\.(\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|a?png|svgz?|webp|webmanifest)$ $1.$3 [L]
 # </IfModule>
 
diff --git a/package.json b/package.json
index 1a749610..75a8066f 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "apache-server-configs",
-  "version": "3.2.1",
+  "version": "4.0.0",
   "author": "The H5BP Team",
   "description": "Boilerplate configurations for the Apache HTTP server",
   "repository": "h5bp/server-configs-apache",
