JamiesonRoberts/.htaccess

## .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>


<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self' https:; script-src 'unsafe-inline' 'self' https: http://www.google-analytics.com; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https: http://www.google-analytics.com https://pixel.morphio.info; font-src 'self' data: https:; connect-src 'self' https://maps.googleapis.com https://brain.morphio.info https://graylog.hotjar.com:12443 wss://ws4.hotjar.com https://insights.hotjar.com; media-src 'self' https:; object-src 'self'; frame-src 'self' https:; form-action 'self';"
</IfModule>

## performance.conf
Header set Connection keep-alive

ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType image/svg+xml "access 1 month"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"

## security.conf
Header always set X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection 1;mode=block
Header always set X-Content-Type-Options nosniff
Header always edit Set-Cookie ^(.*)$ $1;Secure env=HTTPS
Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;" env=HTTPS
Header always set Referrer-Policy: strict-origin-when-cross-origin
#Header set Content-Security-Policy "default-src 'self' https:;"

<Location "/">
   AllowMethods GET POST
</Location>
	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME}/index.html !-f
	RewriteCond %{REQUEST_FILENAME}/index.php !-f
	RewriteRule . index.php [L]
	</IfModule>


	<IfModule mod_headers.c>
	Header set Content-Security-Policy "default-src 'self' https:; script-src 'unsafe-inline' 'self' https: http://www.google-analytics.com; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https: http://www.google-analytics.com https://pixel.morphio.info; font-src 'self' data: https:; connect-src 'self' https://maps.googleapis.com https://brain.morphio.info https://graylog.hotjar.com:12443 wss://ws4.hotjar.com https://insights.hotjar.com; media-src 'self' https:; object-src 'self'; frame-src 'self' https:; form-action 'self';"
	</IfModule>
	Header set Connection keep-alive

	ExpiresActive On
	ExpiresByType image/jpg "access 1 year"
	ExpiresByType image/jpeg "access 1 year"
	ExpiresByType image/gif "access 1 year"
	ExpiresByType image/png "access 1 year"
	ExpiresByType image/svg+xml "access 1 month"
	ExpiresByType text/css "access 1 month"
	ExpiresByType application/pdf "access 1 month"
	ExpiresByType application/javascript "access 1 month"
	ExpiresByType application/x-shockwave-flash "access 1 month"
	ExpiresByType image/x-icon "access 1 year"
	Header always set X-Frame-Options SAMEORIGIN
	Header always set X-XSS-Protection 1;mode=block
	Header always set X-Content-Type-Options nosniff
	Header always edit Set-Cookie ^(.*)$ $1;Secure env=HTTPS
	Header always set Strict-Transport-Security "max-age=15552000; includeSubdomains;" env=HTTPS
	Header always set Referrer-Policy: strict-origin-when-cross-origin
	#Header set Content-Security-Policy "default-src 'self' https:;"

	<Location "/">
	AllowMethods GET POST
	</Location>