Order allow,deny Deny from all Order allow,deny Deny from all Options -Indexes AddDefaultCharset UTF-8 AddCharset UTF-8 .html .css .js .json .xml .txt Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header set Permissions-Policy "camera=(), microphone=(), geolocation=(self)" Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob:; connect-src 'self'" RewriteEngine On RewriteBase / # Force HTTPS RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] RewriteRule ^api/ - [L] RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^ - [L] # All SPA routes go through router.php RewriteRule ^ /router.php [L] AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/rss+xml AddOutputFilterByType DEFLATE application/javascript application/x-javascript application/json AddOutputFilterByType DEFLATE image/svg+xml application/font-woff2 SetEnvIfNoCase Request_URI "\.(jpg|jpeg|png|gif|webp|zip|gz|br|woff2)$" no-gzip ExpiresActive On ExpiresByType image/jpg "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/gif "access plus 1 year" ExpiresByType image/png "access plus 1 year" ExpiresByType image/svg+xml "access plus 1 year" ExpiresByType text/css "access plus 1 year" ExpiresByType application/javascript "access plus 1 year" ExpiresByType text/javascript "access plus 1 year" ExpiresByType application/font-woff2 "access plus 1 year" ExpiresByType text/html "access plus 0 seconds" Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "0" Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0" Header set Pragma "no-cache" Header set Expires "0"