Options -Indexes ServerSignature Off # ── Block sensitive files ──────────────────────────────── Order allow,deny Deny from all # ── Block direct access to includes ────────────────────── RewriteEngine On RewriteRule ^includes/ - [F,L] # ── Security headers ────────────────────────────────────── Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" # ── Canonical HTTPS redirect ────────────────────────────── RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Remove www (pick one: www or non-www, use non-www) RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L] # ── Gzip compression ────────────────────────────────────── AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json image/svg+xml # ── Browser caching ─────────────────────────────────────── ExpiresActive On ExpiresByType text/html "access plus 1 hour" ExpiresByType text/css "access plus 1 month" ExpiresByType application/javascript "access plus 1 month" ExpiresByType image/svg+xml "access plus 1 month" ExpiresByType image/png "access plus 1 month" ExpiresByType image/jpeg "access plus 1 month" ExpiresByType image/webp "access plus 1 month" ExpiresByType application/json "access plus 1 day" # ── LiteSpeed cache rules ───────────────────────────────── CacheEnable public /assets/ CacheEnable public /manifest.json CacheEnable public /sitemap.xml CacheEnable public /robots.txt