Changes in several days of work to improve

.htaccess

+<IfModule mod_headers.c>
+  # Disable content sniffing, since it's an attack vector.
+  Header always set X-Content-Type-Options nosniff
+  Header always set Strict-Transport-Security "max-age=15568000"
+  Header always set Content-Security-Policy "img-src 'none' ; script-src 'self' ; style-src 'self' ; connect-src 'self' ; font-src 'self' ; object-src 'self' ; media-src 'self' ; fram$
+  #Header always set Content-Security-Policy "default-src 'self' data: https: 'unsafe-inline' "
+  Header always set Referrer-Policy "no-referrer"
+  Header set X-Frame-Options: SAMEORIGIN
+  Header set X-XSS-Protection "1; mode=block" 
+</IfModule>
+
 <IfModule mod_rewrite.c>
 
 RewriteEngine On
+RewriteCond %{HTTP_HOST} =fair.coop [NC]
+# 404 test -- file/folder exists?
 
 ## Begin RewriteBase
 # If you are getting 500 or 404 errors on subpages, you may have to uncomment the RewriteBase entry

CHANGELOG.md

+# v1.4.2
+## 03/21/2018
+
+1. [](#new)
+    * Added new `|nicefilesize` Twig filter for pretty file (auto converts to bytes, kB, MB, GB, etc)
+    * Added new `regex_filter()` Twig function to values in arrays
+1. [](#improved)
+    * Added bosnian to lang codes [#1917](https://github.com/getgrav/grav/issues/1917) 
+    * Improved Zip extraction error codes [#1922](https://github.com/getgrav/grav/issues/1922)  
+1. [](#bugfix)
+    * Fixed an issue with Markdown Video and Audio that broke after Parsedown 1.7.0 Security updates [#1924](https://github.com/getgrav/grav/issues/1924)
+    * Fix for case-sensitive page metadata [admin#1370](https://github.com/getgrav/grav-plugin-admin/issues/1370)
+    * Fixed missing composer requirements for the new `Grav\Framework\Uri` classes
+    * Added missing PSR-7 vendor library required for URI additions in Grav 1.4.0
+
+# v1.4.1
+## 03/11/2018
+
+1. [](#bugfix)
+    * Fixed session timing out because of session cookie was not being sent
+
+# v1.4.0
+## 03/09/2018
+
+1. [](#new)
+    * Added `Grav\Framework\Uri` classes extending PSR-7 `HTTP message UriInterface` implementation
+    * Added `Grav\Framework\Route` classes to allow route/link manipulation
+    * Added `$grav['uri]->getCurrentUri()` method to get `Grav\Framework\Uri\Uri` instance for the current URL
+    * Added `$grav['uri]->getCurrentRoute()` method to get `Grav\Framework\Route\Route` instance for the current URL
+    * Added ability to have `php` version dependencies in GPM assets
+    * Added new `{% switch %}` twig tag for more elegant if statements
+    * Added new `{% markdown %}` twig tag
+    * Added **Route Overrides** to the default page blueprint
+    * Added new `Collection::toExtendedArray()` method that's particularly useful for Json output of data
+    * Added new `|yaml_encode` and `|yaml_decode` Twig filter to convert to and from YAML
+    * Added new `read_file()` Twig function to allow you to load and display a file in Twig (Supports streams and regular paths)
+    * Added a new `Medium::exists()` method to check for file existence
+    * Moved Twig `urlFunc()` to `Utils::url()` as its so darn handy
+    * Transferred overall copyright from RocketTheme, LLC, to Trilby Media LLC
+    * Added `theme_var`, `header_var` and `body_class` Twig functions for themes
+    * Added `Grav\Framework\Cache` classes providing PSR-16 `Simple Cache` implementation
+    * Added `Grav\Framework\ContentBlock` classes for nested HTML blocks with CSS/JS assets
+    * Added `Grav\Framework\Object` classes for creating collections of objects
+    * Added `|nicenumber` Twig filter
+    * Added `{% try %} ... {% catch %} Error: {{ e.message }} {% endcatch %}` tag to allow basic exception handling inside Twig
+    * Added `{% script %}` and `{% style %}` tags for Twig templates
+    * Deprecated GravTrait
+1. [](#improved)
+    * Improved `Session` initialization
+    * Added ability to set a `theme_var()` option in page frontmatter
+    * Force clearing PHP `clearstatcache` and `opcache-reset` on `Cache::clear()`
+    * Better `Page.collection()` filtering support including ability to have non-published pages in collections
+    * Stopped Chrome from auto-completing admin user profile form [#1847](https://github.com/getgrav/grav/issues/1847)
+    * Support for empty `switch` field like a `checkbox`
+    * Made `modular` blueprint more flexible
+    * Code optimizations to `Utils` class [#1830](https://github.com/getgrav/grav/pull/1830)
+    * Objects: Add protected function `getElement()` to get serialized value for a single property
+    * `ObjectPropertyTrait`: Added protected functions `isPropertyLoaded()`, `offsetLoad()`, `offsetPrepare()` and `offsetSerialize()`
+    * `Grav\Framework\Cache`: Allow unlimited TTL
+    * Optimizations & refactoring to the test suite [#1779](https://github.com/getgrav/grav/pull/1779)
+    * Slight modification of Whoops error colors
+    * Added new configuration option `system.session.initialize` to delay session initialization if needed by a plugin
+    * Vendor library updated to latest
+    * Updated vendor libraries to latest versions
+    * Removed constructor from `ObjectInterface`
+    * Make it possible to include debug bar also into non-HTML responses
+    * Updated built-in JQuery to latest 3.3.1
+1. [](#bugfix)
+    * Fixed issue with image alt tag always getting empted out unless set in markdown
+    * Fixed issue with remote PHP version determination for Grav updates [#1883](https://github.com/getgrav/grav/issues/1883)
+    * Fixed issue with _illegal scheme offset_ in `Uri::convertUrl()` [page-inject#8](https://github.com/getgrav/grav-plugin-page-inject/issues/8)
+    * Properly validate YAML blueprint fields so admin can save as proper YAML now  [addresses many issues]
+    * Fixed OpenGraph metatags so only Twitter uses `name=`, and all others use `property=` [#1849](https://github.com/getgrav/grav/issues/1849)
+    * Fixed an issue with `evaluate()` and `evaluate_twig()` Twig functions that throws invalid template error
+    * Fixed issue with `|sort_by_key` twig filter if the input was null or not an array
+    * Date ordering should always be numeric [#1810](https://github.com/getgrav/grav/issues/1810)
+    * Fix for base paths containing special characters [#1799](https://github.com/getgrav/grav/issues/1799)
+    * Fix for session cookies in paths containing special characters
+    * Fix for `vundefined` error for version numbers in GPM [form#222](https://github.com/getgrav/grav-plugin-form/issues/222)
+    * Fixed `BadMethodCallException` thrown in GPM updates [#1784](https://github.com/getgrav/grav/issues/1784)
+    * NOTE: Parsedown security release now escapes `&` to `&` in Markdown links
+
 # v1.3.10
 ## 12/06/2017
 
 1. [](#bugfix)
-    * Reverted GPM Local pull request as it broken admin [#1742](https://github.com/getgrav/grav/issues/1742) 
-
-1. [](#new)
+    * Reverted GPM Local pull request as it broken admin [#1742](https://github.com/getgrav/grav/issues/1742)
 
 # v1.3.9
 ## 12/05/2017
 
 1. [](#new)
     * Added new core Twig templates for `partials/metadata.html.twig` and `partials/messages.html.twig`
-    * Added ability to work with GPM locally [#1742](https://github.com/getgrav/grav/issues/1742) 
+    * Added ability to work with GPM locally [#1742](https://github.com/getgrav/grav/issues/1742)
     * Added new HTML5 audio controls [#1756](https://github.com/getgrav/grav/issues/1756)
     * Added `Medium::copy()` method to create a copy of a medium object
     * Added new `force_lowercase_urls` functionality on routes and slugs
@@ -35,15 +115,15 @@
     * Fixed token creation issue with `Uri` params like `/id:3`
     * Fixed CSS Pipeline failing with Google remote fonts if the file was minified [#1261](https://github.com/getgrav/grav-plugin-admin/issues/1261)
     * Forced `field.multiple: true` to allow use of min/max options in `checkboxes.validate`
-    
+
 # v1.3.8
 ## 10/26/2017
 
 1. [](#new)
     * Added Page `media_order` capability to manually order page media via a page header
 1. [](#bugfix)
-    * Fixed GPM update issue with filtered slugs [#1711](https://github.com/getgrav/grav/issues/1711)   
-    * Fixed issue with missing image file not throwing 404 properly [#1713](https://github.com/getgrav/grav/issues/1713) 
+    * Fixed GPM update issue with filtered slugs [#1711](https://github.com/getgrav/grav/issues/1711)
+    * Fixed issue with missing image file not throwing 404 properly [#1713](https://github.com/getgrav/grav/issues/1713)
 
 # v1.3.7
 ## 10/18/2017
@@ -59,20 +139,20 @@
 1. [](#bugfix)
     * Regression: Ajax error in Nginx [admin#1244](https://github.com/getgrav/grav-plugin-admin/issues/1244)
     * Remove the `_url=$uri` portion of the the Nginx `try_files` command [admin#1244](https://github.com/getgrav/grav-plugin-admin/issues/1244)
-    
+
 # v1.3.5
 ## 10/11/2017
 
 1. [](#improved)
     * Refactored `URI` class with numerous bug fixes, and optimizations
     * Override `system.media.upload_limit` with PHP's `post_max_size` or `upload_max_filesize`
-    * Updated `bin/grav clean` command to remove unnecessary vendor files (save some bytes) 
+    * Updated `bin/grav clean` command to remove unnecessary vendor files (save some bytes)
     * Added a `http_status_code` Twig function to allow setting HTTP status codes from Twig directly.
     * Deter XSS attacks via URI path/uri methods (credit:newbthenewbd)
     * Added support for `$uri->toArray()` and `(string)$uri`
     * Added support for `type` on `Asstes::addInlineJs()` [#1683](https://github.com/getgrav/grav/pull/1683)
 1. [](#bugfix)
-    * Fixed method signature error with `GPM\InstallCommand::processPackage()` [#1682](https://github.com/getgrav/grav/pull/1682)   
+    * Fixed method signature error with `GPM\InstallCommand::processPackage()` [#1682](https://github.com/getgrav/grav/pull/1682)
 
 # v1.3.4
 ## 09/29/2017
@@ -86,7 +166,7 @@
     * Improved support for Assets with query strings [#1451](https://github.com/getgrav/grav/issues/1451)
     * Twig extension cleanup
 1. [](#bugfix)
-    * Fixed an issue where fallback was not supporting dynamic page generation 
+    * Fixed an issue where fallback was not supporting dynamic page generation
     * Fixed issue with Image query string not being fully URL encoded [#1622](https://github.com/getgrav/grav/issues/1622)
     * Fixed `Page::summary()` when using delimiter and multibyte UTF8 Characters [#1644](https://github.com/getgrav/grav/issues/1644)
     * Fixed missing `.json` thumbnail throwing error when adding media [grav-plugin-admin#1156](https://github.com/getgrav/grav-plugin-admin/issues/1156)
@@ -129,7 +209,7 @@
     * Allow `session.timeout` field to be set to `0` via blueprints [#1598](https://github.com/getgrav/grav/issues/1598)
     * Fixed `Data::exists()` and `Data::raw()` functions breaking if `Data::file()` hasn't been called with non-null value
     * Fixed parent theme auto-loading in child themes of Gantry 5
-    
+
 # v1.3.1
 ## 07/19/2017
 

LICENSE.txt

 The MIT License (MIT)
 
-Copyright (c) 2017 Grav
+Copyright (c) 2018 Grav
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

cache/compiled/files/019acf774312df2641af74c557d80c20.yaml.php

-<?php
-return [
-    '@class' => 'Grav\\Common\\File\\CompiledYamlFile',
-    'filename' => '/var/www/grav/web/user/config/plugins/login.yaml',
-    'modified' => 1519059005,
-    'data' => [
-        'enabled' => true,
-        'built_in_css' => true,
-        'route' => '/admin/login',
-        'redirect_to_login' => true,
-        'route_activate' => '/activate_user',
-        'route_forgot' => '/forgot_password',
-        'route_reset' => '/reset_password',
-        'route_profile' => '/user_profile',
-        'route_register' => '/user_register',
-        'route_unauthorized' => '/user_unauthorized',
-        'dynamic_page_visibility' => false,
-        'parent_acl' => false,
-        'protect_protected_page_media' => false,
-        'rememberme' => [
-            'enabled' => true,
-            'timeout' => 604800,
-            'name' => 'grav-rememberme'
-        ],
-        'max_pw_resets_count' => 0,
-        'max_pw_resets_interval' => 60,
-        'max_login_count' => 0,
-        'max_login_interval' => 2,
-        'user_registration' => [
-            'enabled' => true,
-            'fields' => [
-                0 => 'username',
-                1 => 'password',
-                2 => 'email',
-                3 => 'fullname',
-                4 => 'title',
-                5 => 'level'
-            ],
-            'default_values' => [
-                'level' => 'Newbie'
-            ],
-            'access' => [
-                'site' => [
-                    'login' => 'true'
-                ]
-            ],
-            'options' => [
-                'validate_password1_and_password2' => true,
-                'set_user_disabled' => false,
-                'login_after_registration' => true,
-                'send_activation_email' => false,
-                'send_notification_email' => false,
-                'send_welcome_email' => '0'
-            ]
-        ]
-    ]
-];