Files
monica/scripts/.htaccess_production
T
2021-06-22 18:37:38 +02:00

55 lines
1.9 KiB
Plaintext

<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews -Indexes
</IfModule>
RewriteEngine On
# Redirect to https
RewriteCond %{HTTP:X-Forwarded-Proto} !=https
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,N]
<IfModule mod_headers.c>
# Activate HSTS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"
Header always set Referrer-Policy "no-referrer"
Header always set X-Content-Type-Options "nosniff"
Header always set X-Download-Options "noopen"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set X-Robots-Tag "none"
Header always set X-XSS-Protection "1; mode=block"
# Assets expire after 1 month
<filesMatch ".(css|js|json|woff2?|ttf|eot|svg)$">
Header set Cache-Control "public, max-age=2628000"
</filesMatch>
</IfModule>
# Handle Authorization Header
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Redirect .well-known urls (https://en.wikipedia.org/wiki/List_of_/.well-known/_services_offered_by_webservers)
RewriteCond %{REQUEST_URI} .well-known/carddav
RewriteRule ^ /dav/ [L,R=301,N]
RewriteCond %{REQUEST_URI} .well-known/caldav
RewriteRule ^ /dav/ [L,R=301,N]
RewriteCond %{REQUEST_URI} .well-known/security.txt
RewriteRule ^ /security.txt [L,R=301,N]
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !dav/*
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>