AddDefaultCharset UTF-8
# Turn on URL rewriting
RewriteEngine On
AddDefaultCharset UTF-8
# Installation directory
RewriteBase /
# Protect hidden files from being viewed
<Files .*>
Order Deny,Allow
Deny From All
</Files>
# Protect application and system files from being viewed
RewriteRule ^(?:application|modules|system)b.* index.php/$0 [L]
# Allow any files or directories that exist to be displayed directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
# Rewrite all other URLs to index.php/URL
RewriteRule .* index.php/$0 [PT]
<IfModule mod_headers.c>
Header unset ETag
# clickjacking off
Header set X-Frame-Options: "sameorigin"
# MIME-sniffing
Header set X-Content-Type-Options: "nosniff"
# ...
Header unset X-Runtime
Header unset X-Powered-By
Header set X-XSS-Protection: "1; mode=block"
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
Header set strict-transport-security: "max-age=31536000; includeSubDomains"
</IfModule>