########################################################################
# OPTIMAL .htaccess FILE FOR SPEED AND SECURITY @Version 2.0.8 - 02/2023
# ----------------------------------------------------------------------
# @Author: Andreas Hecht
# @Author URI: https://seoagentur-hamburg.com
# @CoAuthor URI: https://belebsoftware.com
# @Programming LOG: https://plus23.org
# License: GNU General Public License v2 or later
# License URI: http://www.gnu.org/licenses/gpl-2.0.html
########################################################################

 # ----------------------------------------------------------
# PLUS23 no access to plus23_log.php
# ----------------------------------------------------------
<files plus23_log.php>
 Require all granted
</Files>
# ----------------------------------------------------------
# PLUS23 disallow folder and file scanning
# ----------------------------------------------------------
ServerSignature Off
RewriteEngine On
IndexIgnore *
Options -Indexes
ErrorDocument 403 /plus23_log.php

# END 

# ----------------------------------------------------------------------
# Rewrite from HTTP to HTTPS - if you want to use it, comment it out
# ----------------------------------------------------------------------

#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#</IfModule>

# ----------------------------------------------------------------------
# | Activate CORS                                                  
# ----------------------------------------------------------------------

<IfModule mod_headers.c>
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js|mjs|gif|png|jpe?g|svg|svgz|ico|webp)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

# -----------------------------------------------------------------------
# | 404 Fix: Block Nuisance Requests for Non-Existent Files - New in 2018  
#   https://perishablepress.com/block-nuisance-requests - @Update 2019
# -----------------------------------------------------------------------

<IfModule mod_alias.c>
	RedirectMatch 403 (?i)\.php\.suspected
	RedirectMatch 403 (?i)apple-app-site-association
	RedirectMatch 403 (?i)/autodiscover/autodiscover.xml
</IfModule>

# ----------------------------------------------------------------------
# | Compressing and Caching - Version 2022 Update javascript modules                |
# ----------------------------------------------------------------------

# Serve resources with far-future expires headers.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://httpd.apache.org/docs/current/mod/mod_expires.html

<IfModule mod_expires.c>
    ExpiresActive on
    ExpiresDefault                                      "access plus 1 month"

  # CSS
    ExpiresByType text/css                              "access plus 1 year"

  # Data interchange
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rdf+xml                   "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"

    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/ld+json                   "access plus 0 seconds"
    ExpiresByType application/schema+json               "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"

  # Favicon (cannot be renamed!) and cursor images
    ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
    ExpiresByType image/x-icon                          "access plus 1 week"

  # HTML - No Caching
    ExpiresByType text/html                             "access plus 0 seconds"

  # JavaScript
    ExpiresByType application/javascript                "access plus 1 year"
    ExpiresByType application/x-javascript              "access plus 1 year"
    ExpiresByType text/javascript                       "access plus 1 year"

  # Manifest files
    ExpiresByType application/manifest+json             "access plus 1 week"
    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"
    
# Update 2020: Google recommendation: cache duration increased to 1 year
# @see: https://web.dev/uses-long-cache-ttl/    

  # Media files
    ExpiresByType audio/ogg                             "access plus 1 year"
    ExpiresByType image/bmp                             "access plus 1 year"
    ExpiresByType image/gif                             "access plus 1 year"
    ExpiresByType image/jpeg                            "access plus 1 year"
    ExpiresByType image/png                             "access plus 1 year"
    ExpiresByType image/svg+xml                         "access plus 1 year"
    ExpiresByType image/webp                            "access plus 1 year"
    ExpiresByType video/mp4                             "access plus 1 year"
    ExpiresByType video/ogg                             "access plus 1 year"
    ExpiresByType video/webm                            "access plus 1 year"

  # Web fonts

    # Embedded OpenType (EOT)
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 year"
    ExpiresByType font/eot                              "access plus 1 year"

    # OpenType
    ExpiresByType font/opentype                         "access plus 1 year"

    # TrueType
    ExpiresByType application/x-font-ttf                "access plus 1 year"

    # Web Open Font Format (WOFF) 1.0
    ExpiresByType application/font-woff                 "access plus 1 year"
    ExpiresByType application/x-font-woff               "access plus 1 year"
    ExpiresByType font/woff                             "access plus 1 year"

    # Web Open Font Format (WOFF) 2.0
    ExpiresByType application/font-woff2                "access plus 1 year"

  # Other
    ExpiresByType text/x-cross-domain-policy            "access plus 1 week"
</IfModule>

<IfModule mod_deflate.c>
# Insert filters / compress text, html, javascript, css, xml:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/vtt 
AddOutputFilterByType DEFLATE text/x-component
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/js
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/atom+xml 
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/ld+json 
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject 
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/font-woff2
AddOutputFilterByType DEFLATE application/x-font-woff
AddOutputFilterByType DEFLATE application/x-web-app-manifest+json font/woff
AddOutputFilterByType DEFLATE font/woff 
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon 

# Exception: Images
SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary

# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>

#Alternative caching using Apache's "mod_headers", if it's installed.
#Caching of common files - ENABLED
<IfModule mod_headers.c>
<FilesMatch "\.(ico|pdf|flv|swf|js|mjs|css|gif|png|jpg|jpeg|txt|woff2|woff)$">
Header set Cache-Control "max-age=31536000, public"
</FilesMatch>
</IfModule>

<IfModule mod_headers.c>
  <FilesMatch "\.(js|mjs|css|xml|gz)$">
    Header append Vary Accept-Encoding
  </FilesMatch>
</IfModule>

# Set Keep Alive Header
<IfModule mod_headers.c>
    Header set Connection keep-alive
</IfModule>

# If your server don't support ETags deactivate with "None" (and remove header)
<IfModule mod_expires.c> 
  <IfModule mod_headers.c> 
    Header unset ETag 
  </IfModule> 
  FileETag None 
</IfModule>

<IfModule mod_headers.c>
<FilesMatch ".(js|mjs|css|xml|gz|html|woff|woff2|ttf)$">
Header append Vary: Accept-Encoding
</FilesMatch>
</IfModule>



# ----------------------------------------------------------------------
#   Block WordPress files from outside access
# ----------------------------------------------------------------------	

# No access to the install.php
<files install.php>
Order allow,deny
Deny from all
</files>
 
# No access to the wp-config.php 
<files wp-config.php>
Order allow,deny
Deny from all
</files>
 
# No access to the readme.html
<files readme.html>
 Order Allow,Deny
 Deny from all
 Satisfy all
</Files>
 
# No access to the liesmich.html for DE Edition
<Files liesmich.html>
 Order Allow,Deny
 Deny from all
 Satisfy all
</Files>
 
# No error log access 
<files error_log>
Order allow,deny
Deny from all
</files>

#No access to the .htaccess und .htpasswd
<FilesMatch "(\.htaccess|\.htpasswd)">
  Order deny,allow
  Deny from all
</FilesMatch>

# Block access to includes folder
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# ----------------------------------------------------------------------
# | Blocking the »ReallyLongRequest« Bandit - New in 2018  
#   https://perishablepress.com/blocking-reallylongrequest-bandit/
# ----------------------------------------------------------------------

<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} .* [NC]
    RewriteCond %{THE_REQUEST}  (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC,OR]
    RewriteCond %{QUERY_STRING} (YesThisIsAReallyLongRequest|ScanningForResearchPurpose) [NC]
    RewriteRule .* - [F,L]
</IfModule>

# --------------------------------------------------------------------------------------------
#   Ultimate hotlink protection - IMPORTANT: Change »?domain\« in line 361 to your domain name
#   Example: ?andreas-hecht\ ### if you do not use https, change https in line 361 to http
# --------------------------------------------------------------------------------------------


#<IfModule mod_rewrite.c>
# RewriteEngine on
# RewriteCond %{HTTP_REFERER}     !^$
# RewriteCond %{REQUEST_FILENAME} -f
# RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$           [NC]
# RewriteCond %{HTTP_REFERER}     !^https?://([^.]+\.)?domain\. [NC]
# RewriteRule \.(gif|jpe?g?|png)$                             - [F,NC,L]
#</ifModule>

# ----------------------------------------------------------------------
#   Block WordPress Author Scans
# ----------------------------------------------------------------------

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/wp-json/wp/v2/users [OR]
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule ^ – [NC,F,L]
</ifModule>

# ----------------------------------------------------------------------
#   Protect your WordPress Login with HTTP Authentification
# ----------------------------------------------------------------------

# If you want to use it, comment it out and set your path to .htpasswd
#<Files wp-login.php>
#AuthName "Admin-Bereich"
#AuthType Basic
#AuthUserFile /usr/local/www/apache24/your-path/your-domain.com/.htpasswd 
#require valid-user
#</Files>

# ----------------------------------------------------------------------
#   Switch off the security risk XML-RPC interface completely
# ----------------------------------------------------------------------

### @see https://digwp.com/2009/06/xmlrpc-php-security/

<Files xmlrpc.php>
 Order Deny,Allow
 Deny from all
</Files>


# -----------------------------------------------------------------------------
#  HTTP SECURITY HEADER | Test on: https://securityheaders.com | UPDATE 05/2022
# -----------------------------------------------------------------------------

### @see https://scotthelme.co.uk/hardening-your-http-response-headers
### UPDATE 2022

## No-Referrer-Header
<IfModule mod_headers.c>
    Header set Referrer-Policy "no-referrer"
</IfModule>

## Strict Origin when cross origin Header
#@see https://scotthelme.co.uk/a-new-security-header-referrer-policy/
<IfModule mod_headers.c>
Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

## X-FRAME-OPTIONS-Header
<IfModule mod_headers.c>
    Header set X-Frame-Options "sameorigin"
</IfModule>

## X-XSS-PROTECTION-Header
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

## X-Content-Type-Options-Header
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
</IfModule>

## Strict-Transport-Security-Header - for HTTPS
<IfModule mod_headers.c>
   Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>


# Upgrade Insecure Requests to prevent mixed content
<ifModule mod_headers.c>
  Header always set Content-Security-Policy "upgrade-insecure-requests"
</IfModule>

# Permissions Policy is a new header that allows a site to control which features and APIs can be used in the browser.
## Tutorial: https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
<IfModule mod_headers.c>
Header always set Permissions-Policy "geolocation=(), midi=(),sync-xhr=(),accelerometer=(), gyroscope=(), magnetometer=(), camera=(), fullscreen=(self)"
</IfModule>

# ----------------------------------------------------------------------
# The original WordPress Rewrite Rules - Do not change anything here, 
# except you are using a WordPress Multisite
# ----------------------------------------------------------------------

# BEGIN WordPress.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress