styfle · November 12, 2018 17:04
diff --git a/.htaccess b/.htaccess
 ## Set security headers per https://observatory.mozilla.org
 Header set Strict-Transport-Security "max-age=15768000" env=HTTPS
 Header set Content-Security-Policy "frame-ancestors 'self'"
 Header set X-Frame-Options "SAMEORIGIN"
 Header set X-XSS-Protection "1; mode=block"
 Header set X-Content-Type-Options "nosniff"

 ## Add some rewrite rules per https://stackoverflow.com/a/13997498/266535
 RewriteEngine On

 ## If https is missing, redirect to https (use 302 temp before trying 301 permanent)
 RewriteCond %{HTTPS} off
 RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 ## If www is missing, redirect to www (use 302 temp before trying 301 permanent)
 RewriteCond %{HTTP_HOST} !^www\. [NC]
 RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 ## Return forbidden for secret.php file and halt rewrites
 RewriteRule secret\.php - [F,L]

 # BEGIN gzip
 <ifmodule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript text/javascript
 </ifmodule>
 # END gzip

 # BEGIN caching
 <ifModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault "access plus 5 seconds"
  ExpiresByType image/x-icon "access plus 604800 seconds"
  ExpiresByType image/jpeg "access plus 604800 seconds"
  ExpiresByType image/png "access plus 604800 seconds"
  ExpiresByType image/gif "access plus 604800 seconds"
  ExpiresByType image/svg+xml "access plus 604800 seconds"
  ExpiresByType text/css "access plus 604800 seconds"
  ExpiresByType text/javascript "access plus 216000 seconds"
  ExpiresByType application/javascript "access plus 216000 seconds"
  ExpiresByType application/x-javascript "access plus 216000 seconds"
  ExpiresByType text/html "access plus 600 seconds"
  ExpiresByType application/xhtml+xml "access plus 600 seconds"
 </ifModule>
 # END caching
	## Set security headers per https://observatory.mozilla.org
	Header set Strict-Transport-Security "max-age=15768000" env=HTTPS
	Header set Content-Security-Policy "frame-ancestors 'self'"
	Header set X-Frame-Options "SAMEORIGIN"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Content-Type-Options "nosniff"

	## Add some rewrite rules per https://stackoverflow.com/a/13997498/266535
	RewriteEngine On

	## If https is missing, redirect to https (use 302 temp before trying 301 permanent)
	RewriteCond %{HTTPS} off
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

	## If www is missing, redirect to www (use 302 temp before trying 301 permanent)
	RewriteCond %{HTTP_HOST} !^www\. [NC]
	RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

	## Return forbidden for secret.php file and halt rewrites
	RewriteRule secret\.php - [F,L]

	# BEGIN gzip
	<ifmodule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript text/javascript
	</ifmodule>
	# END gzip

	# BEGIN caching
	<ifModule mod_expires.c>
	ExpiresActive On
	ExpiresDefault "access plus 5 seconds"
	ExpiresByType image/x-icon "access plus 604800 seconds"
	ExpiresByType image/jpeg "access plus 604800 seconds"
	ExpiresByType image/png "access plus 604800 seconds"
	ExpiresByType image/gif "access plus 604800 seconds"
	ExpiresByType image/svg+xml "access plus 604800 seconds"
	ExpiresByType text/css "access plus 604800 seconds"
	ExpiresByType text/javascript "access plus 216000 seconds"
	ExpiresByType application/javascript "access plus 216000 seconds"
	ExpiresByType application/x-javascript "access plus 216000 seconds"
	ExpiresByType text/html "access plus 600 seconds"
	ExpiresByType application/xhtml+xml "access plus 600 seconds"
	</ifModule>
	# END caching