AddDefaultCharset UTF-8

############################# REWRITE AND REDIRECTION #############################
RewriteEngine on
RewriteBase /

# Force non-www
RewriteCond %{HTTP_HOST} ^www\.
RewriteCond %{HTTPS}s ^on(s)|off
RewriteCond http%1://%{HTTP_HOST} ^(https?://)(www\.)?(.+)$
RewriteRule ^ %1%3%{REQUEST_URI} [L,R=301]

# Force HTTPS
#RewriteCond %{HTTPS} !on
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

# Remove Trailing Slash
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} (.+)/$
RewriteRule ^ %1 [L,R=301]

# Router
RewriteCond %{REQUEST_FILENAME} .php$ [OR]
RewriteCond %{REQUEST_FILENAME} !-f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.*)$ index.php [L,QSA]

############################# SECURITY #############################
# Deny Access to Hidden Files and Directories
#RedirectMatch 404 /\..*$

# Deny Access to Backup and Source Files
<FilesMatch "(\.(bin|bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
  ## Apache 2.2
  Order allow,deny
  Deny from all
  Satisfy All

  ## Apache 2.4
  # Require all denied
</FilesMatch>

# Disable Directory Browsing
Options -Indexes

# Set secutiry headers
<IfModule mod_headers.c>
  Header set Referrer-Policy "same-origin"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Content-Type-Options "nosniff"
  Header set Content-Security-Policy "frame-ancestors 'self'"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

############################# PERFORMANCE #############################
# Compress Text Files
<IfModule mod_deflate.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
      SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
      RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    </IfModule>
  </IfModule>

  <IfModule mod_filter.c>
    AddOutputFilterByType DEFLATE application/atom+xml \
                                  application/javascript \
                                  application/json \
                                  application/rss+xml \
                                  application/vnd.ms-fontobject \
                                  application/x-font-ttf \
                                  application/x-web-app-manifest+json \
                                  application/xhtml+xml \
                                  application/xml \
                                  font/opentype \
                                  image/svg+xml \
                                  image/x-icon \
                                  text/css \
                                  text/html \
                                  text/plain \
                                  text/x-component \
                                  text/xml
  </IfModule>
</IfModule>

# Set Expires Headers
<IfModule mod_expires.c>
  ExpiresActive on
  ExpiresDefault "access plus 1 month"
  ExpiresByType application/json "access plus 0 seconds"
  ExpiresByType application/xml "access plus 0 seconds"
  ExpiresByType text/xml "access plus 0 seconds"
  ExpiresByType text/html "access plus 0 seconds"
  ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
  ExpiresByType text/cache-manifest "access plus 0 seconds"
  ExpiresByType application/rss+xml "access plus 1 hour"
</IfModule>

############################# MISCELLANEOUS #############################
# Allow Cross-Domain Fonts
<IfModule mod_headers.c>
  <FilesMatch "\.(eot|otf|ttc|ttf|woff|woff2)$">
    Header set Access-Control-Allow-Origin "*"
  </FilesMatch>
</IfModule>
