Apache config for a https enabled, secure headers, cache headers, etc

.htaccess

## Set security headers per https://observatory.mozilla.org
Header set Strict-Transport-Security "max-age=15768000" env=HTTPS
Header set Content-Security-Policy "frame-ancestors 'self'"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"

## Add some rewrite rules per https://stackoverflow.com/a/13997498/266535
RewriteEngine On

## If https is missing, redirect to https (use 302 temp before trying 301 permanent)
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

## If www is missing, redirect to www (use 302 temp before trying 301 permanent)
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

## Return forbidden for secret.php file and halt rewrites
RewriteRule secret\.php - [F,L]

# BEGIN gzip
<ifmodule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript text/javascript
</ifmodule>
# END gzip

# BEGIN caching
<ifModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 5 seconds"
  ExpiresByType image/x-icon "access plus 604800 seconds"
  ExpiresByType image/jpeg "access plus 604800 seconds"
  ExpiresByType image/png "access plus 604800 seconds"
  ExpiresByType image/gif "access plus 604800 seconds"
  ExpiresByType image/svg+xml "access plus 604800 seconds"
  ExpiresByType text/css "access plus 604800 seconds"
  ExpiresByType text/javascript "access plus 216000 seconds"
  ExpiresByType application/javascript "access plus 216000 seconds"
  ExpiresByType application/x-javascript "access plus 216000 seconds"
  ExpiresByType text/html "access plus 600 seconds"
  ExpiresByType application/xhtml+xml "access plus 600 seconds"
</ifModule>
# END caching