# https://github.com/delight-im/htaccess
<ifModule mod_headers.c>
# Prevent clickjacking (forbids framing by third-party sites)
Header set X-Frame-Options sameorigin
# Prevent content sniffing (MIME sniffing)
Header set X-Content-Type-Options nosniff
# Attempt to enable XSS filters in browsers, if available, and block reflected XSS
Header set X-XSS-Protection "1; mode=block"
# Cache media files for a month
<FilesMatch ".(js|css|jpg|jpeg|png|svg|webp|gif|ico|ogg|mp4|webm)$">
Header set Cache-Control max-age=2629800
</FilesMatch>
# Remove response headers that provide no value but leak information
Header unset X-Powered-By
# Disable "ETag" headers so that browsers rely on the "Cache-Control" and "Expires" headers
Header unset ETag
</ifModule>
<IfModule mod_autoindex.c>
# Turn off directory listings for folders without default documents
Options -Indexes
</IfModule>
<IfModule mod_negotiation.c>
# Disable 'MultiViews' implicit filename pattern matches
Options -MultiViews
</IfModule>
# Serve "text/plain" and "text/html" documents as UTF-8 by default
AddDefaultCharset utf-8
# Disable "ETag" headers so that browsers rely on the "Cache-Control" and "Expires" headers
FileETag None
<ifModule mod_headers.c>
# Enable HTTP Strict Transport Security (HSTS) with a duration of six months (Uncomment 1 line below)
# Header set Strict-Transport-Security max-age=15778800
</ifModule>
<ifModule mod_rewrite.c>
# Force 'www' (i.e. prefix the "bare" domain and all subdomains with 'www' through permanent redirects) (Uncomment 5 lines below)
# RewriteEngine On
# RewriteCond %{HTTP_HOST} !^$
# RewriteCond %{HTTP_HOST} !^www. [NC]
# RewriteCond %{HTTPS}s ^on(s)|
# RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
# Prevent access to non-minified CSS and JS (Uncomment 3 lines below)
# <FilesMatch "(?<!.min).(css|js)$">
# Require all denied
# </FilesMatch>
# Show a custom error document for "404 Not Found" errors (Uncomment 1 line below)
# ErrorDocument 404 /notFound.html