alexbudin/.htaccess

## .htaccess
## ~-~-~- How to use ~-~-~-

# You can directly download as use as it is.
# Everything is listed is only perfomance and security related lines
# Validate .htaccess from http://www.htaccesscheck.com/

# Disable Directory Browsing: Security
Options All -Indexes

# If a dir is a symbol link, follow the link
Options +FollowSymLinks

# Disable multiviews
# Ref - https://stackoverflow.com/questions/25423141/what-exactly-does-the-multiviews-options-in-htaccess/25423722
<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>

# Set Timezone of the Server (GMT)
# SetEnv TZ Asia/Kolkata

## Add a "en-US" language header and "UTF-8" without meta tags!

# Use UTF-8 encoding for anything served text/plain or text/html
AddDefaultCharset utf-8

# Force UTF-8 for a number of file formats
AddCharset utf-8 .atom .css .js .json .rss .vtt .xml

DefaultLanguage en-US

# Enable basic rewriting
RewriteEngine on

# Disable HTTP Trace
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule ^ - [F]

# This is must to implement https
RewriteCond %{HTTPS} off

# Forcing HTTPS on All Traffic
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# --------- Force redirect http to https://www
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ---------
#----------------------------------------------------------------------------OR------------------------------------------------
# --------- Force redirect http with www or without www to https://
# Remove www from url directories
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [R=301,QSA,NC,L]

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ---------

<IfModule mod_mime.c>
    AddCharset utf-8 .atom \
                     .bbaw \
                     .css \
                     .geojson \
                     .ics \
                     .js \
                     .json \
                     .jsonld \
                     .manifest \
                     .markdown \
                     .md \
                     .mjs \
                     .rdf \
                     .rss \
                     .topojson \
                     .vtt \
                     .webapp \
                     .webmanifest \
                     .xloc \
                     .xml

  # Audio
    AddType audio/mp4                             m4a f4a f4b
    AddType audio/mpeg                            mp3
    AddType audio/ogg                             oga ogg opus
    AddType audio/wav                             wav
    AddType audio/webm                            webma

  # Data interchange
    AddType application/json                      json map
    AddType application/ld+json                   jsonld

  # JavaScript
    # Normalize to standard type.
    # http://tools.ietf.org/html/rfc4329#section-7.2
    AddType application/javascript                js jsonp

  # Video
    AddType video/mp4                             f4v f4p m4v mp4
    AddType video/ogg                             ogv
    AddType video/webm                            webm
    AddType video/x-flv                           flv

  # Web fonts
    AddType application/vnd.ms-fontobject         .eot
    AddType application/x-font-opentype           .otf
    AddType application/x-font-ttf                ttc ttf
    AddType application/font-woff                 .woff
    AddType application/font-woff2                .woff2
    AddType application/x-font-woff               woff
    AddType font/opentype                         otf


    # Make SVGZ fonts work on the iPad.
    # https://twitter.com/FontSquirrel/status/14855840545
    AddType image/svg+xml                         svg svgz
    AddEncoding gzip                              svgz

  # Other
    AddType application/octet-stream              safariextz
    AddType application/x-chrome-extension        crx
    AddType application/x-opera-extension         oex
    AddType application/x-web-app-manifest+json   webapp
    AddType application/x-xpinstall               xpi
    AddType application/xml                       atom rdf rss xml
    AddType image/webp                            webp
    AddType image/x-icon                          ico
    AddType image/vnd.microsoft.icon              ico
    AddType text/cache-manifest                   appcache manifest
    AddType text/css                              css
    AddType image/svg+xml                         svg
    AddType text/vtt                              vtt
    AddType text/x-component                      htc
    AddType text/x-vcard                          vcf
    AddType application/vnd.openxmlformats        .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
    AddType application/manifest+json             .webmanifest
    AddType application/x-shockwave-flash	  swf
</IfModule>
#------------------------------

# Allow Cross-Domain Fonts
# CDN-served webfonts might not work in Firefox or IE due to CORS. This snippet solves the problem.
<IfModule mod_headers.c>
    <FilesMatch "\.(eot|otf|ttc|ttf|woff|woff2)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

# Enable Compression
<IfModule mod_deflate.c>

    # Force compression for mangled headers.
    # https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
    <IfModule mod_setenvif.c>
        <IfModule mod_headers.c>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>

    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
    AddOutputFilterByType DEFLATE application/x-font
    AddOutputFilterByType DEFLATE application/x-font-opentype
    AddOutputFilterByType DEFLATE application/x-font-otf
    AddOutputFilterByType DEFLATE application/x-font-truetype
    AddOutputFilterByType DEFLATE application/x-font-ttf
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE font/opentype
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE image/x-icon
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE application/atom+xml
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
    AddOutputFilterByType DEFLATE text/x-component
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE application/ld+json
    AddOutputFilterByType DEFLATE application/x-httpd-fastphp
    AddOutputFilterByType DEFLATE application/x-httpd-php
    AddOutputFilterByType DEFLATE text/vtt
</IfModule>
<IfModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
  mod_gzip_item_include handler ^cgi-script$
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
#-----------

# Leverage Browser Caching
<IfModule mod_expires.c>
  ExpiresActive On

# Perhaps better to whitelist expires rules? Perhaps.
  ExpiresDefault                          "access plus 1 week"

# HTML components (HTCs)
  ExpiresByType text/x-component          "access plus 1 month"

# Data interchange

  ExpiresByType application/atom+xml      "access plus 1 hour"
  ExpiresByType application/rdf+xml       "access plus 1 hour"
  ExpiresByType application/rss+xml       "access plus 1 hour"

  ExpiresByType application/json          "access plus 0 seconds"
  ExpiresByType application/ld+json       "access plus 0 seconds"
  ExpiresByType application/schema+json   "access plus 0 seconds"
  ExpiresByType application/vnd.geo+json  "access plus 0 seconds"
  ExpiresByType application/xml           "access plus 0 seconds"
  ExpiresByType text/calendar             "access plus 0 seconds"
  ExpiresByType text/xml                  "access plus 0 seconds"

  ExpiresByType application/pdf		  "access 1 month"
  ExpiresByType application/x-shockwave-flash "access 1 month"

# Favicon (cannot be renamed) and cursor images
  ExpiresByType image/vnd.microsoft.icon  "access plus 1 month"
  ExpiresByType image/x-icon              "access plus 1 month"

# Media: images, video, audio
  ExpiresByType image/gif                 "access plus 1 month"
  ExpiresByType image/png                 "access plus 1 month"
  ExpiresByType image/jpg                 "access plus 1 month"
  ExpiresByType image/jpeg                "access plus 1 month"
  ExpiresByType image/bmp                 "access plus 1 month"
  ExpiresByType image/webp                "access plus 1 month"
  ExpiresByType audio/ogg                 "access plus 1 month"
  ExpiresByType video/ogg                 "access plus 1 month"
  ExpiresByType video/mp4                 "access plus 1 month"
  ExpiresByType video/webm                "access plus 1 month"

# Webfonts
  #collection
  ExpiresByType font/collection                       "access plus 1 month"

  # Embedded OpenType (EOT)
  ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
  ExpiresByType font/eot                              "access plus 1 month"

  # TrueType
  ExpiresByType application/x-font-ttf                "access plus 1 month"
  ExpiresByType font/ttf                              "access plus 1 month"

  # Web Open Font Format (WOFF) 1.0
  ExpiresByType application/font-woff                 "access plus 1 month"
  ExpiresByType application/x-font-woff               "access plus 1 month"
  ExpiresByType font/woff                             "access plus 1 month"

  # OpenType
  ExpiresByType font/opentype                         "access plus 1 month"
  ExpiresByType image/svg+xml                         "access plus 1 month"

  # Web Open Font Format (WOFF) 2.0
  ExpiresByType application/font-woff2                "access plus 1 month"
  ExpiresByType font/woff2                            "access plus 1 month"

  # Other
  ExpiresByType text/x-cross-domain-policy            "access plus 1 week"

# HTML
  ExpiresByType text/html                 	      "access plus 1 minute"
  ExpiresByType text/plain			      "access plus 1 month"

# CSS
  ExpiresByType text/css                  	      "access plus 1 year"

# Javascript
  ExpiresByType text/javascript       	 	      "access plus 1 month"
  ExpiresByType text/x-javascript         	      "access plus 1 month"
  ExpiresByType application/javascript    	      "access plus 1 month"
  ExpiresByType application/x-javascript              "access plus 1 month"

# Manifest files
  ExpiresByType application/manifest+json             "access plus 1 week"
  ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
  ExpiresByType text/cache-manifest                   "access plus 0 seconds"

# Markdown
  ExpiresByType text/markdown                         "access plus 0 seconds"
</IfModule>

# Better site speed with better caching
<IfModule mod_headers.c>
  <filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|js|swf|ttf|otf|woff|woff2|eot|svg|webp|mp4)$">
	Header set Cache-Control "max-age=31536000, public"
  </filesmatch>
  <filesmatch "\.(html|htm)$">
	Header set Cache-Control "max-age=7200, private, must-revalidate"
  </filesmatch>
  <filesmatch "\.(pdf)$">
	Header set Cache-Control "max-age=86400, public"
  </filesmatch>
  # 2 DAYS
  <FilesMatch "\.(xml|txt)$">
	Header set Cache-Control "max-age=172800, public, must-revalidate"
  </FilesMatch>

</IfModule>
#-----------

# Keep alive connection to server
<ifModule mod_headers.c>
	Header set Connection keep-alive
</ifModule>

# ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
# # SECURITY - If you found that this file is not working then just remove security section

# Set HttpOnly Cookie. Change php_module according to your version. For php5 use `php5_module`
<IfModule php7_module>
    php_flag session.cookie_httponly on
</IfModule>

# Tells apache not to display the server version on error pages, or other pages it generates.
ServerSignature Off

# Extra Security Headers
<IfModule mod_headers.c>
        # Protect against XSS attacks
	Header set X-XSS-Protection "1; mode=block"

	# Protect against page-framing and click-jacking
	# or Header set X-Frame-Options SAMEORIGIN env=!allow_framing
	Header set X-Frame-Options SAMEORIGIN

	# Protect against content-sniffing or prevent mime based attacks
	Header set X-Content-Type-Options nosniff

	# Hide Server-side technology information
        Header always unset X-Powered-By
        Header unset X-Powered-By

	# You can implement this header to instruct the browser how to handle the requests over a cross-domain.
	# By implementing this header, you restrict loading your site’s assets from other domain to avoid resource abuse.
	Header set X-Permitted-Cross-Domain-Policies none

	#The default setting where referrer is sent to the same protocol as HTTP to HTTP, HTTPS to HTTPS.
	Header set Referrer-Policy no-referrer-when-downgrade

	# HTTP Strict Transport Security (HSTS). Required : only if https
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

	#Content Security Policy. Default-src - Load everything from a defined source. Caution - Sometime doesnt work
        # Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"

	# With Permissions Policy, you can control browser features such as
	# geolocation, fullscreen, speaker, USB, autoplay, speaker, microphone, payment, battery status, etc.
	# to enable or disable within a web application
	Header always set Permissions-Policy "fullscreen 'none'; microphone 'none'"

	# This will prevent the use of mis-issued certificates for websites
	Header set Expect-CT "enforce, max-age=31536000"

	# https://owasp.org/www-project-secure-headers/#div-headers
        Header append Vary "Accept-Encoding, User-Agent, Referer"
	Header set Cross-Origin-Embedder-Policy "require-corp"
	Header set Cross-Origin-Opener-Policy "same-origin-allow-popups"
	Header set Cross-Origin-Resource-Policy "same-origin"
	Header set Content-Security-Policy "upgrade-insecure-requests"
</IfModule>

# Block access to configuration, informational, documentation files
<FilesMatch "package.json|package-lock.json|phpunit.xml|composer.json|installed.json|composer.lock|artisan|readme.md|wp-config.php|xmlrpc.php">
	order deny,allow
	deny from all
</FilesMatch>

# Block access to hidden files & directories. Resulting in a 403 Forbidden error.
# ".htaccess|.editorconfig|.gitattributes|.gitignore|.env|.log|.ini"
<IfModule mod_rewrite.c>
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
</IfModule>

# Disable Unnecessary HTTP Requests
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

## Disallow Script Execution
#Options -ExecCGI
#AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

## If your server don't support ETags deactivate with "None" (and remove header)
#<IfModule mod_headers.c>
#   Header unset ETag
#</IfModule>
	## ~-~-~- How to use ~-~-~-

	# You can directly download as use as it is.
	# Everything is listed is only perfomance and security related lines
	# Validate .htaccess from http://www.htaccesscheck.com/

	# Disable Directory Browsing: Security
	Options All -Indexes

	# If a dir is a symbol link, follow the link
	Options +FollowSymLinks

	# Disable multiviews
	# Ref - https://stackoverflow.com/questions/25423141/what-exactly-does-the-multiviews-options-in-htaccess/25423722
	<IfModule mod_negotiation.c>
	Options -MultiViews
	</IfModule>

	# Set Timezone of the Server (GMT)
	# SetEnv TZ Asia/Kolkata

	## Add a "en-US" language header and "UTF-8" without meta tags!

	# Use UTF-8 encoding for anything served text/plain or text/html
	AddDefaultCharset utf-8

	# Force UTF-8 for a number of file formats
	AddCharset utf-8 .atom .css .js .json .rss .vtt .xml

	DefaultLanguage en-US

	# Enable basic rewriting
	RewriteEngine on

	# Disable HTTP Trace
	RewriteCond %{REQUEST_METHOD} ^TRACE
	RewriteRule ^ - [F]

	# This is must to implement https
	RewriteCond %{HTTPS} off

	# Forcing HTTPS on All Traffic
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

	# --------- Force redirect http to https://www
	RewriteCond %{HTTPS} off
	# First rewrite to HTTPS:
	# Don't put www. here. If it is already there it will be included, if not
	# the subsequent rule will catch it.
	RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
	# Now, rewrite any request to the wrong domain to use www.
	# [NC] is a case-insensitive match
	RewriteCond %{HTTP_HOST} !^www\. [NC]
	RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
	# ---------
	#----------------------------------------------------------------------------OR------------------------------------------------
	# --------- Force redirect http with www or without www to https://
	# Remove www from url directories
	RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
	RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [R=301,QSA,NC,L]

	RewriteCond %{HTTPS} off
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
	# ---------

	<IfModule mod_mime.c>
	AddCharset utf-8 .atom \
	.bbaw \
	.css \
	.geojson \
	.ics \
	.js \
	.json \
	.jsonld \
	.manifest \
	.markdown \
	.md \
	.mjs \
	.rdf \
	.rss \
	.topojson \
	.vtt \
	.webapp \
	.webmanifest \
	.xloc \
	.xml

	# Audio
	AddType audio/mp4 m4a f4a f4b
	AddType audio/mpeg mp3
	AddType audio/ogg oga ogg opus
	AddType audio/wav wav
	AddType audio/webm webma

	# Data interchange
	AddType application/json json map
	AddType application/ld+json jsonld

	# JavaScript
	# Normalize to standard type.
	# http://tools.ietf.org/html/rfc4329#section-7.2
	AddType application/javascript js jsonp

	# Video
	AddType video/mp4 f4v f4p m4v mp4
	AddType video/ogg ogv
	AddType video/webm webm
	AddType video/x-flv flv

	# Web fonts
	AddType application/vnd.ms-fontobject .eot
	AddType application/x-font-opentype .otf
	AddType application/x-font-ttf ttc ttf
	AddType application/font-woff .woff
	AddType application/font-woff2 .woff2
	AddType application/x-font-woff woff
	AddType font/opentype otf


	# Make SVGZ fonts work on the iPad.
	# https://twitter.com/FontSquirrel/status/14855840545
	AddType image/svg+xml svg svgz
	AddEncoding gzip svgz

	# Other
	AddType application/octet-stream safariextz
	AddType application/x-chrome-extension crx
	AddType application/x-opera-extension oex
	AddType application/x-web-app-manifest+json webapp
	AddType application/x-xpinstall xpi
	AddType application/xml atom rdf rss xml
	AddType image/webp webp
	AddType image/x-icon ico
	AddType image/vnd.microsoft.icon ico
	AddType text/cache-manifest appcache manifest
	AddType text/css css
	AddType image/svg+xml svg
	AddType text/vtt vtt
	AddType text/x-component htc
	AddType text/x-vcard vcf
	AddType application/vnd.openxmlformats .docx .pptx .xlsx .xltx . xltm .dotx .potx .ppsx
	AddType application/manifest+json .webmanifest
	AddType application/x-shockwave-flash swf
	</IfModule>
	#------------------------------

	# Allow Cross-Domain Fonts
	# CDN-served webfonts might not work in Firefox or IE due to CORS. This snippet solves the problem.
	<IfModule mod_headers.c>
	<FilesMatch "\.(eot\|otf\|ttc\|ttf\|woff\|woff2)$">
	Header set Access-Control-Allow-Origin "*"
	</FilesMatch>
	</IfModule>

	# Enable Compression
	<IfModule mod_deflate.c>

	# Force compression for mangled headers.
	# https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
	<IfModule mod_setenvif.c>
	<IfModule mod_headers.c>
	SetEnvIfNoCase ^(Accept-EncodXng\|X-cept-Encoding\|X{15}\|~{15}\|-{15})$ ^((gzip\|deflate)\s,?\s)+\|[X~-]{4,13}$ HAVE_Accept-Encoding
	RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
	</IfModule>
	</IfModule>

	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/rss+xml
	AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
	AddOutputFilterByType DEFLATE application/x-font
	AddOutputFilterByType DEFLATE application/x-font-opentype
	AddOutputFilterByType DEFLATE application/x-font-otf
	AddOutputFilterByType DEFLATE application/x-font-truetype
	AddOutputFilterByType DEFLATE application/x-font-ttf
	AddOutputFilterByType DEFLATE application/x-javascript
	AddOutputFilterByType DEFLATE application/xhtml+xml
	AddOutputFilterByType DEFLATE application/xml
	AddOutputFilterByType DEFLATE font/opentype
	AddOutputFilterByType DEFLATE font/otf
	AddOutputFilterByType DEFLATE font/ttf
	AddOutputFilterByType DEFLATE image/svg+xml
	AddOutputFilterByType DEFLATE image/x-icon
	AddOutputFilterByType DEFLATE text/css
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/javascript
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE application/atom+xml
	AddOutputFilterByType DEFLATE application/json
	AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
	AddOutputFilterByType DEFLATE text/x-component
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE application/ld+json
	AddOutputFilterByType DEFLATE application/x-httpd-fastphp
	AddOutputFilterByType DEFLATE application/x-httpd-php
	AddOutputFilterByType DEFLATE text/vtt
	</IfModule>
	<IfModule mod_gzip.c>
	mod_gzip_on Yes
	mod_gzip_dechunk Yes
	mod_gzip_item_include file .(html?\|txt\|css\|js\|php\|pl)$
	mod_gzip_item_include handler ^cgi-script$
	mod_gzip_item_include mime ^text/.*
	mod_gzip_item_include mime ^application/x-javascript.*
	mod_gzip_item_exclude mime ^image/.*
	mod_gzip_item_exclude rspheader ^Content-Encoding:.gzip.
	</IfModule>
	#-----------

	# Leverage Browser Caching
	<IfModule mod_expires.c>
	ExpiresActive On

	# Perhaps better to whitelist expires rules? Perhaps.
	ExpiresDefault "access plus 1 week"

	# HTML components (HTCs)
	ExpiresByType text/x-component "access plus 1 month"

	# Data interchange

	ExpiresByType application/atom+xml "access plus 1 hour"
	ExpiresByType application/rdf+xml "access plus 1 hour"
	ExpiresByType application/rss+xml "access plus 1 hour"

	ExpiresByType application/json "access plus 0 seconds"
	ExpiresByType application/ld+json "access plus 0 seconds"
	ExpiresByType application/schema+json "access plus 0 seconds"
	ExpiresByType application/vnd.geo+json "access plus 0 seconds"
	ExpiresByType application/xml "access plus 0 seconds"
	ExpiresByType text/calendar "access plus 0 seconds"
	ExpiresByType text/xml "access plus 0 seconds"

	ExpiresByType application/pdf "access 1 month"
	ExpiresByType application/x-shockwave-flash "access 1 month"

	# Favicon (cannot be renamed) and cursor images
	ExpiresByType image/vnd.microsoft.icon "access plus 1 month"
	ExpiresByType image/x-icon "access plus 1 month"

	# Media: images, video, audio
	ExpiresByType image/gif "access plus 1 month"
	ExpiresByType image/png "access plus 1 month"
	ExpiresByType image/jpg "access plus 1 month"
	ExpiresByType image/jpeg "access plus 1 month"
	ExpiresByType image/bmp "access plus 1 month"
	ExpiresByType image/webp "access plus 1 month"
	ExpiresByType audio/ogg "access plus 1 month"
	ExpiresByType video/ogg "access plus 1 month"
	ExpiresByType video/mp4 "access plus 1 month"
	ExpiresByType video/webm "access plus 1 month"

	# Webfonts
	#collection
	ExpiresByType font/collection "access plus 1 month"

	# Embedded OpenType (EOT)
	ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
	ExpiresByType font/eot "access plus 1 month"

	# TrueType
	ExpiresByType application/x-font-ttf "access plus 1 month"
	ExpiresByType font/ttf "access plus 1 month"

	# Web Open Font Format (WOFF) 1.0
	ExpiresByType application/font-woff "access plus 1 month"
	ExpiresByType application/x-font-woff "access plus 1 month"
	ExpiresByType font/woff "access plus 1 month"

	# OpenType
	ExpiresByType font/opentype "access plus 1 month"
	ExpiresByType image/svg+xml "access plus 1 month"

	# Web Open Font Format (WOFF) 2.0
	ExpiresByType application/font-woff2 "access plus 1 month"
	ExpiresByType font/woff2 "access plus 1 month"

	# Other
	ExpiresByType text/x-cross-domain-policy "access plus 1 week"

	# HTML
	ExpiresByType text/html "access plus 1 minute"
	ExpiresByType text/plain "access plus 1 month"

	# CSS
	ExpiresByType text/css "access plus 1 year"

	# Javascript
	ExpiresByType text/javascript "access plus 1 month"
	ExpiresByType text/x-javascript "access plus 1 month"
	ExpiresByType application/javascript "access plus 1 month"
	ExpiresByType application/x-javascript "access plus 1 month"

	# Manifest files
	ExpiresByType application/manifest+json "access plus 1 week"
	ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
	ExpiresByType text/cache-manifest "access plus 0 seconds"

	# Markdown
	ExpiresByType text/markdown "access plus 0 seconds"
	</IfModule>

	# Better site speed with better caching
	<IfModule mod_headers.c>
	<filesmatch "\.(ico\|flv\|jpg\|jpeg\|png\|gif\|css\|js\|swf\|ttf\|otf\|woff\|woff2\|eot\|svg\|webp\|mp4)$">
	Header set Cache-Control "max-age=31536000, public"
	</filesmatch>
	<filesmatch "\.(html\|htm)$">
	Header set Cache-Control "max-age=7200, private, must-revalidate"
	</filesmatch>
	<filesmatch "\.(pdf)$">
	Header set Cache-Control "max-age=86400, public"
	</filesmatch>
	# 2 DAYS
	<FilesMatch "\.(xml\|txt)$">
	Header set Cache-Control "max-age=172800, public, must-revalidate"
	</FilesMatch>

	</IfModule>
	#-----------

	# Keep alive connection to server
	<ifModule mod_headers.c>
	Header set Connection keep-alive
	</ifModule>

	# ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~
	# # SECURITY - If you found that this file is not working then just remove security section

	# Set HttpOnly Cookie. Change php_module according to your version. For php5 use `php5_module`
	<IfModule php7_module>
	php_flag session.cookie_httponly on
	</IfModule>

	# Tells apache not to display the server version on error pages, or other pages it generates.
	ServerSignature Off

	# Extra Security Headers
	<IfModule mod_headers.c>
	# Protect against XSS attacks
	Header set X-XSS-Protection "1; mode=block"

	# Protect against page-framing and click-jacking
	# or Header set X-Frame-Options SAMEORIGIN env=!allow_framing
	Header set X-Frame-Options SAMEORIGIN

	# Protect against content-sniffing or prevent mime based attacks
	Header set X-Content-Type-Options nosniff

	# Hide Server-side technology information
	Header always unset X-Powered-By
	Header unset X-Powered-By

	# You can implement this header to instruct the browser how to handle the requests over a cross-domain.
	# By implementing this header, you restrict loading your site’s assets from other domain to avoid resource abuse.
	Header set X-Permitted-Cross-Domain-Policies none

	#The default setting where referrer is sent to the same protocol as HTTP to HTTP, HTTPS to HTTPS.
	Header set Referrer-Policy no-referrer-when-downgrade

	# HTTP Strict Transport Security (HSTS). Required : only if https
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

	#Content Security Policy. Default-src - Load everything from a defined source. Caution - Sometime doesnt work
	# Header set Content-Security-Policy "default-src * data:; script-src https: 'unsafe-inline' 'unsafe-eval'; style-src https: 'unsafe-inline'"

	# With Permissions Policy, you can control browser features such as
	# geolocation, fullscreen, speaker, USB, autoplay, speaker, microphone, payment, battery status, etc.
	# to enable or disable within a web application
	Header always set Permissions-Policy "fullscreen 'none'; microphone 'none'"

	# This will prevent the use of mis-issued certificates for websites
	Header set Expect-CT "enforce, max-age=31536000"

	# https://owasp.org/www-project-secure-headers/#div-headers
	Header append Vary "Accept-Encoding, User-Agent, Referer"
	Header set Cross-Origin-Embedder-Policy "require-corp"
	Header set Cross-Origin-Opener-Policy "same-origin-allow-popups"
	Header set Cross-Origin-Resource-Policy "same-origin"
	Header set Content-Security-Policy "upgrade-insecure-requests"
	</IfModule>

	# Block access to configuration, informational, documentation files
	<FilesMatch "package.json\|package-lock.json\|phpunit.xml\|composer.json\|installed.json\|composer.lock\|artisan\|readme.md\|wp-config.php\|xmlrpc.php">
	order deny,allow
	deny from all
	</FilesMatch>

	# Block access to hidden files & directories. Resulting in a 403 Forbidden error.
	# ".htaccess\|.editorconfig\|.gitattributes\|.gitignore\|.env\|.log\|.ini"
	<IfModule mod_rewrite.c>
	RewriteCond %{SCRIPT_FILENAME} -d [OR]
	RewriteCond %{SCRIPT_FILENAME} -f
	RewriteRule "(^\|/)\." - [F]
	</IfModule>

	# Disable Unnecessary HTTP Requests
	RewriteCond %{REQUEST_METHOD} !^(GET\|POST\|HEAD)
	RewriteRule .* - [R=405,L]

	## Disallow Script Execution
	#Options -ExecCGI
	#AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi

	## If your server don't support ETags deactivate with "None" (and remove header)
	#<IfModule mod_headers.c>
	# Header unset ETag
	#</IfModule>