.htaccess

## Redirect Example
# Redirect 301 /old-path /new-path

# Force HTTPS and WWW Example
<IfModule mod_rewrite.c>
  ## Force HTTPS
	# RewriteCond %{HTTPS} off
	# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  
  ## Force WWW
	# RewriteCond %{HTTP_HOST} !^www\. [NC]
	# RewriteRule (.*) https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

############################################

# Kirby .htaccess
# revision 2023-07-22

# rewrite rules
<IfModule mod_rewrite.c>

# enable awesome urls. i.e.:
# http://yourdomain.com/about-us/team
RewriteEngine on

# make sure to set the RewriteBase correctly
# if you are running the site in a subfolder;
# otherwise links or the entire site will break.
#
# If your homepage is http://yourdomain.com/mysite,
# set the RewriteBase to:
#
# RewriteBase /mysite

# In some environments it's necessary to
# set the RewriteBase to:
#
# RewriteBase /

# block files and folders beginning with a dot, such as .git
# except for the .well-known folder, which is used for Let's Encrypt and security.txt
RewriteRule (^|/)\.(?!well-known\/) index.php [L]

# block all files in the content folder from being accessed directly
RewriteRule ^content/(.*) index.php [L]

# block all files in the site folder from being accessed directly
RewriteRule ^site/(.*) index.php [L]

# block direct access to Kirby and the Panel sources
RewriteRule ^kirby/(.*) index.php [L]

# make site links work
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php [L]

</IfModule>

# pass the Authorization header to PHP
SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$1

# compress text file responses
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE application/json
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

# set security headers in all responses
<IfModule mod_headers.c>

# serve files as plain text if the actual content type is not known
# (hardens against attacks from malicious file uploads)
Header set Content-Type "text/plain" "expr=-z %{CONTENT_TYPE}"
Header set X-Content-Type-Options "nosniff"

</IfModule>

############################################

# Kirby Bucket 
# Additional .htaccess configurations

# Additional configuration for HTTP security
Header set Content-Security-Policy "frame-ancestors 'self'; base-uri 'self'; form-action 'self';"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Xss-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"

# Additional configuration for HTTP compression
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/vtt
AddOutputFilterByType DEFLATE text/x-component
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/atom+xml
AddOutputFilterByType DEFLATE application/ld+json
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/font-woff2
AddOutputFilterByType DEFLATE application/x-font-woff
AddOutputFilterByType DEFLATE application/x-web-app-manifest+json
AddOutputFilterByType DEFLATE font/woff
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon

# Exception: Images
SetEnvIfNoCase REQUEST_URI \.(?:gif|jpg|jpeg|png|svg)$ no-gzip dont-vary

# Drop problematic browsers
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

# Make sure proxies don't deliver the wrong content
Header append Vary User-Agent env=!dont-vary
</IfModule>

# Additional configuration for HTTP caching
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault                                      "access plus 1 month"

# CSS
ExpiresByType text/css                              "access plus 1 year"

# Data interchange
ExpiresByType application/atom+xml                  "access plus 1 hour"
ExpiresByType application/rdf+xml                   "access plus 1 hour"
ExpiresByType application/rss+xml                   "access plus 1 hour"

ExpiresByType application/json                      "access plus 0 seconds"
ExpiresByType application/ld+json                   "access plus 0 seconds"
ExpiresByType application/schema+json               "access plus 0 seconds"
ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
ExpiresByType application/xml                       "access plus 0 seconds"
ExpiresByType text/xml                              "access plus 0 seconds"

# Favicon (cannot be renamed!) and cursor images
ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
ExpiresByType image/x-icon                          "access plus 1 week"

# HTML - Behält die Website eine Stunde im Cache, neues wird erst nach Ablauf einer Stunde
# angezeigt. Wenn nicht gewuenscht, bei 3600 eine Null eintragen
ExpiresByType text/html                             "access plus 3600 seconds"

# JavaScript
ExpiresByType application/javascript                "access plus 1 year"
ExpiresByType application/x-javascript              "access plus 1 year"
ExpiresByType text/javascript                       "access plus 1 year"

# Manifest files
ExpiresByType application/manifest+json             "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
ExpiresByType text/cache-manifest                   "access plus 0 seconds"

# Media files
ExpiresByType audio/ogg                             "access plus 4 month"
ExpiresByType image/bmp                             "access plus 4 month"
ExpiresByType image/gif                             "access plus 4 month"
ExpiresByType image/jpeg                            "access plus 4 month"
ExpiresByType image/png                             "access plus 4 month"
ExpiresByType image/svg+xml                         "access plus 4 month"
ExpiresByType image/webp                            "access plus 4 month"
ExpiresByType video/mp4                             "access plus 4 month"
ExpiresByType video/ogg                             "access plus 4 month"
ExpiresByType video/webm                            "access plus 4 month"

# Web fonts

# Embedded OpenType (EOT)
ExpiresByType application/vnd.ms-fontobject         "access plus 1 year"
ExpiresByType font/eot                              "access plus 1 year"

# OpenType
ExpiresByType font/opentype                         "access plus 1 year"

# TrueType
ExpiresByType application/x-font-ttf                "access plus 1 year"

# Web Open Font Format (WOFF) 1.0
ExpiresByType application/font-woff                 "access plus 1 year"
ExpiresByType application/x-font-woff               "access plus 1 year"
ExpiresByType font/woff                             "access plus 1 year"

# Web Open Font Format (WOFF) 2.0
ExpiresByType application/font-woff2                "access plus 1 year"
ExpiresByType font/woff2                            "access plus 1 year"

# Other
ExpiresByType text/x-cross-domain-policy            "access plus 1 week"
</IfModule>