# Preventing access to .htaccess
Require all denied
# Preventing access to wrongly copied .conf files
Require all denied
# Redirecting HTTP traffic to HTTPS. (Keep commented on localhost !)
# This is handled by reverse-proxies, but it should still be enabled in production just to be safe.
#RewriteEngine On
#RewriteCond %{SERVER_PORT} 80
#RewriteRule ^(.*)$ https://nibblepoker.lu/$1 [R,L]
# Fixing some encoding issues on non-HTML files.
# Mostly affects the old privacy policies written in french. (Accents have issues in non-utf8 encodings !)
AddCharset utf-8 .css .txt .js .md .ts .mjs
#
# Header set Content-Type "text/plain; charset=utf-8"
#
#AddDefaultCharset utf-8
# Adding MIME types
AddType text/typescript .ts
AddType text/javascript .js
AddType text/javascript .mjs
AddType application/wasm .wasm
AddType video/x-matroska .mkv
AddType text/css .css
# Special case for Plik
Header set Content-Type "text/css; charset=utf-8"
# Correcting some default options for security and language/content redirection.
# FollowSymlinks is also on since it's required for "mod_rewrite" and the server is jailed/containerized.
Options -Indexes +FollowSymlinks -ExecCGI
# Does nothing, thanks Apache...
ServerSignature Off
# Serving minified pages and/or pre-rendered ones first if available.
DirectoryIndex index.min.html index.min.php index.php index.html
# Custom error pages.
ErrorDocument 403 /error.php
ErrorDocument 404 /error.php
# Setting up browser's caching rules.
# See:
# * https://stackoverflow.com/a/13029007
# * https://www.a2hosting.com/kb/developer-corner/apache-web-server/turning-off-caching-using-htaccess
# Default: 12 hours
Header set Cache-Control "max-age=43200, public, must-revalidate"
# Static files: 1 Week
Header set Cache-Control "max-age=604800, public, must-revalidate"
# Semi-static files: 1 Day
Header set Cache-Control "max-age=86400, public, must-revalidate"
# Disabling some caching rules for debugging
#Header set Pragma "no-cache"
#Header set Expires 0
# Setting up GZIP.
# It's optional since reverse-proxies or caching layers will usually do it for us.
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|mjs|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
# Setting some headers for security.
# Will cause "fail-safe crashes" if the "headers" module isn't enabled.
Header always set X-Frame-Options "deny"
# Header always set Content-Security-Policy "default-src 'self' files.nibblepoker.lu; img-src 'self' files.nibblepoker.lu data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
Header always set X-XSS-Protection " 1; mode=block"
Header always set Referrer-Policy "no-referrer"
Header always set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
#Header always set Cache-Control "max-age=300, public"
Header always set Access-Control-Allow-Origin "*"
Header always set Permissions-Policy "browsing-topics=(), interest-cohort=()"
# Removing some headers since they often raise BS alarms about too much back-end info being sent to clients.
# Note: These headers can actually be removed by most reverse-proxies.
Header unset X-Powered-By
# Handling all other redirections.
# Will cause "fail-safe crashes" if the "rewrite" module isn't enabled.
RewriteEngine On
# Serving normal pages when a specific language key is at the beginning of the requested path.
# We use a regex to match all supported languages and use the 3rd ground, `(.*)` as `$3`, as the "real" path.
RewriteRule ^((en|fr)/)(.*)$ /$3 [QSA]
# Handling requests for "robots.txt" and "sitemap.txt" via PHP.
RewriteRule ^(en/|fr/)?robots.txt$ robots.php [L]
RewriteRule ^(en/|fr/)?sitemap.txt$ sitemap.php [L]