JamborJan · July 22, 2019 07:58
diff --git a/.htaccess b/.htaccess
 # # # # # # # # # # # # # # # # # # # # # # # # # #
 #
 # Content: .htaccess file with security settings
 # Author: Jan Jambor, XWare GmbH
 # Author URI: https://xwr.ch
 # Date: 20.07.2019
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # #


 # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Wordpress rewrites
 # # # # # # # # # # # # # # # # # # # # # # # # # #

 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>

 # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Gzip compression
 # # # # # # # # # # # # # # # # # # # # # # # # # #
 SetOutputFilter DEFLATE
 AddOutputFilterByType DEFLATE text/html text/css text/plain text/xml application/x-javascript application/x-httpd-php
 BrowserMatch ^Mozilla/4 gzip-only-text/html
 BrowserMatch ^Mozilla/4\.0[678] no-gzip
 BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
 BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
 SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip

 # # # # # # # # # # # # # # # # # # # # # # # # # #
 # do not show the server version and X-Powered-By
 # # # # # # # # # # # # # # # # # # # # # # # # # #
 #ServerTokens Prod
 ServerSignature Off
 Header always unset "X-Powered-By"
 Header unset "X-Powered-By"

 # # # # # # # # # # # # # # # # # # # # # # # # # #
 # security stuff
 # # # # # # # # # # # # # # # # # # # # # # # # # #

 <IfModule mod_headers.c>

 # HSTS prevents attackers from tricking you into connecting via HTTP in the
 # future, but if you actually intend to access the server via non-SSL in the
 # future then you should probably delete this line.
 Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

 # you can tell the browser that it can only download content from the domains you explicitly allow
 # for examples see e.g. https://scotthelme.co.uk/content-security-policy-an-introduction/
 Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' data: https:; frame-src 'self' https:; connect-src 'self' https: wss:; object-src 'self' "

 # X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
 # By preventing a browser from framing your site you can defend against attacks like clickjacking.
 # Recommended value: add_header X-Frame-Options "SAMEORIGIN";.
 Header always set X-Frame-Options "SAMEORIGIN"

 # X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
 # Recommended value "X-XSS-Protection: 1; mode=block".
 Header always set X-Xss-Protection "1; mode=block"

 # X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it
 # to stick with the declared content-type. This helps to reduce the danger of drive-by downloads.
 # Recommended value "X-Content-Type-Options: nosniff".
 Header always set X-Content-Type-Options "nosniff"

 # Referrer-Policy
 # Details see https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 Header always set Referrer-Policy "no-referrer"

 # Feature Policy
 # is a new header that allows a site to control which features and APIs can be used in the browser.
 # Details see https://scotthelme.co.uk/a-new-security-header-feature-policy/
 Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self';"

 </IfModule>

 # # # # # # # # # # # # # # # # # # # # # # # # # #
 # caching static content
 # # # # # # # # # # # # # # # # # # # # # # # # # #

 FileETag MTime Size
 <IfModule mod_expires.c>
  # Enable expirations.
  ExpiresActive On

  # Cache all files for 2 weeks after access (A).
  ExpiresDefault A1209600

  <FilesMatch \.php$>
    # Do not allow PHP scripts to be cached unless they explicitly send cache
    # headers themselves. Otherwise all scripts would have to overwrite the
    # headers set by mod_expires if they want another caching behavior.
    ExpiresActive Off
  </FilesMatch>
 </IfModule>
	# # # # # # # # # # # # # # # # # # # # # # # # # #
	#
	# Content: .htaccess file with security settings
	# Author: Jan Jambor, XWare GmbH
	# Author URI: https://xwr.ch
	# Date: 20.07.2019
	#
	# # # # # # # # # # # # # # # # # # # # # # # # # #


	# # # # # # # # # # # # # # # # # # # # # # # # # #
	# Wordpress rewrites
	# # # # # # # # # # # # # # # # # # # # # # # # # #

	<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	</IfModule>

	# # # # # # # # # # # # # # # # # # # # # # # # # #
	# Gzip compression
	# # # # # # # # # # # # # # # # # # # # # # # # # #
	SetOutputFilter DEFLATE
	AddOutputFilterByType DEFLATE text/html text/css text/plain text/xml application/x-javascript application/x-httpd-php
	BrowserMatch ^Mozilla/4 gzip-only-text/html
	BrowserMatch ^Mozilla/4\.0[678] no-gzip
	BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
	BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
	SetEnvIfNoCase Request_URI \.(?:gif\|jpe?g\|png)$ no-gzip

	# # # # # # # # # # # # # # # # # # # # # # # # # #
	# do not show the server version and X-Powered-By
	# # # # # # # # # # # # # # # # # # # # # # # # # #
	#ServerTokens Prod
	ServerSignature Off
	Header always unset "X-Powered-By"
	Header unset "X-Powered-By"

	# # # # # # # # # # # # # # # # # # # # # # # # # #
	# security stuff
	# # # # # # # # # # # # # # # # # # # # # # # # # #

	<IfModule mod_headers.c>

	# HSTS prevents attackers from tricking you into connecting via HTTP in the
	# future, but if you actually intend to access the server via non-SSL in the
	# future then you should probably delete this line.
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

	# you can tell the browser that it can only download content from the domains you explicitly allow
	# for examples see e.g. https://scotthelme.co.uk/content-security-policy-an-introduction/
	Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' data: https:; frame-src 'self' https:; connect-src 'self' https: wss:; object-src 'self' "

	# X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
	# By preventing a browser from framing your site you can defend against attacks like clickjacking.
	# Recommended value: add_header X-Frame-Options "SAMEORIGIN";.
	Header always set X-Frame-Options "SAMEORIGIN"

	# X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
	# Recommended value "X-XSS-Protection: 1; mode=block".
	Header always set X-Xss-Protection "1; mode=block"

	# X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it
	# to stick with the declared content-type. This helps to reduce the danger of drive-by downloads.
	# Recommended value "X-Content-Type-Options: nosniff".
	Header always set X-Content-Type-Options "nosniff"

	# Referrer-Policy
	# Details see https://scotthelme.co.uk/a-new-security-header-referrer-policy/
	Header always set Referrer-Policy "no-referrer"

	# Feature Policy
	# is a new header that allows a site to control which features and APIs can be used in the browser.
	# Details see https://scotthelme.co.uk/a-new-security-header-feature-policy/
	Header always set Feature-Policy "microphone 'none'; payment 'none'; sync-xhr 'self';"

	</IfModule>

	# # # # # # # # # # # # # # # # # # # # # # # # # #
	# caching static content
	# # # # # # # # # # # # # # # # # # # # # # # # # #

	FileETag MTime Size
	<IfModule mod_expires.c>
	# Enable expirations.
	ExpiresActive On

	# Cache all files for 2 weeks after access (A).
	ExpiresDefault A1209600

	<FilesMatch \.php$>
	# Do not allow PHP scripts to be cached unless they explicitly send cache
	# headers themselves. Otherwise all scripts would have to overwrite the
	# headers set by mod_expires if they want another caching behavior.
	ExpiresActive Off
	</FilesMatch>
	</IfModule>