Setup — .HTACCESS and Security Headers

What to do?

  1. Set HTTPS force in cPanel –> select domain –> go to domains
  2. Add the Security Headers code to the .htaccess file on the server
  3. Test HSTS via https://hstspreload.org/
  4. Set Content Security Policy if you know what you are doing


 


# ----------------------------------------------------------------------
# PHP - Set limits
# ----------------------------------------------------------------------
php_value upload_max_filesize 16M
php_value post_max_size 16M
php_value max_input_time 300
php_value max_execution_time 300
php_value max_input_vars 8000
php_value memory_limit 368M

# ----------------------------------------------------------------------
# CACHE - Adding cache control headers
# ----------------------------------------------------------------------
<ifModule mod_headers.c>
	<filesMatch "\.(ico|jpe?g|png|gif|swf)$">
		Header set Cache-Control "public"
	</filesMatch>
	<filesMatch "\.(css)$">
		Header set Cache-Control "public"
	</filesMatch>
	<filesMatch "\.(js)$">
		Header set Cache-Control "private"
	</filesMatch>
	<filesMatch "\.(x?html?|php)$">
		Header set Cache-Control "private, must-revalidate"
	</filesMatch>
</IfModule>


# ----------------------------------------------------------------------
# CACHE - Expires
# ----------------------------------------------------------------------
<IfModule mod_expires.c>
	ExpiresActive On
	
# Images
	ExpiresByType image/jpeg "access plus 1 year"
	ExpiresByType image/gif "access plus 1 year"
	ExpiresByType image/png "access plus 1 year"
	ExpiresByType image/webp "access plus 1 year"
	ExpiresByType image/svg+xml "access plus 1 year"
	ExpiresByType image/x-icon "access plus 1 year"
	
# Video
	ExpiresByType video/webm "access plus 1 year"
	ExpiresByType video/mp4 "access plus 1 year"
	ExpiresByType video/mpeg "access plus 1 year"
	ExpiresByType video/ogg "access plus 1 year"
	ExpiresByType audio/ogg "access plus 1 year"
	ExpiresByType audio/mp3 "access plus 1 year"
	ExpiresByType video/webm "access plus 1 year"
	
# Fonts
	ExpiresByType font/ttf "access plus 1 year"
	ExpiresByType font/otf "access plus 1 year"
	ExpiresByType font/woff "access plus 1 year"
	ExpiresByType font/woff2 "access plus 1 year"
	ExpiresByType application/font-woff "access plus 1 year"
	
# CSS, JavaScript
	ExpiresByType text/css "access plus 1 year"
	ExpiresByType text/javascript "access plus 1 year"
	ExpiresByType application/javascript "access plus 1 year"
	
# Others
	ExpiresByType application/pdf "access plus 1 year"
	ExpiresByType image/vnd.microsoft.icon "access plus 1 year"
</IfModule>

# ----------------------------------------------------------------------
# CACHE - Disable Etag
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
	Header unset Etag
	Header set Connection keep-alive
</IfModule>
FileETag None

# ----------------------------------------------------------------------
# WP Security - Security HEADERS
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"  env=HTTPS
	Header always set X-XSS-Protection "1; mode=block"
	Header always set X-Content-Type-Options "nosniff"
	Header always set Referrer-Policy "no-referrer-when-downgrade"
	Header always set Permissions-Policy "accelerometer=(self), autoplay=(self), camera=(self), encrypted-media=(self), fullscreen=(self), gyroscope=(self), magnetometer=(self), microphone=(self), midi=(self), payment=(self), picture-in-picture=(self)"
	Header always set Expect-CT "max-age=7776000, enforce"
	Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

# ----------------------------------------------------------------------
# WP Security - Disable directory browsing
# ----------------------------------------------------------------------
Options All -Indexes

# ----------------------------------------------------------------------
# WP Security - Secure file: wp-config.php
# ----------------------------------------------------------------------
<files wp-config.php>
	order allow,deny
	deny from all
</files>

# ----------------------------------------------------------------------
# WP Security - Block WordPress xmlrpc.php requests
# ----------------------------------------------------------------------
<files xmlrpc.php>
	order allow,deny
	deny from all
</files>



# BEGIN ShortPixelWebp
# De richtlijnen (regels) tussen "BEGIN ShortPixelWebp" en "END ShortPixelWebp" worden
# dynamisch gegenereerd en zouden alleen aangepast mogen worden via WordPress filters.
# Alle wijzigingen aan de richtlijnen tussen deze markeringen worden overschreven.

<IfModule mod_rewrite.c>
	RewriteEngine On
##### Directives for delivering AVIF files, if they exist #####
# Does the browser support avif?
	RewriteCond %{HTTP_ACCEPT} image/avif
# AND is the request a jpg or png? (also grab the basepath %1 to match in the next rule)
	RewriteCond %{REQUEST_URI} ^(.+)\.(?:jpe?g|png|gif)$
# AND does a .avif image exist?
	RewriteCond %{DOCUMENT_ROOT}/%1.avif -f
# THEN send the avif image and set the env var avif
	RewriteRule (.+)\.(?:jpe?g|png)$ $1.avif [NC,T=image/avif,E=avif,L]
	
# Does the browser support avif?
	RewriteCond %{HTTP_ACCEPT} image/avif
# AND is the request a jpg or png? (also grab the basepath %1 to match in the next rule)
	RewriteCond %{REQUEST_URI} ^(.+)\.(?:jpe?g|png|gif)$
# AND does a .jpg.avif image exist?
	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI}.avif -f
# THEN send the avif image and set the env var avif
	RewriteRule ^(.+)$ $1.avif [NC,T=image/avif,E=avif,L]
	
</IfModule>
<IfModule mod_headers.c>
# If REDIRECT_avif env var exists, append Accept to the Vary header
	Header append Vary Accept env=REDIRECT_avif
</IfModule>
<IfModule mod_mime.c>
	AddType image/avif .avif
</IfModule>

<IfModule mod_rewrite.c>
	RewriteEngine On
##### TRY FIRST the file appended with .webp (ex. test.jpg.webp) #####
# Is the browser Chrome?
	RewriteCond %{HTTP_USER_AGENT} Chrome [OR]
# OR Is request from Page Speed
	RewriteCond %{HTTP_USER_AGENT} "Google Page Speed Insights" [OR]
# OR does this browser explicitly support webp
	RewriteCond %{HTTP_ACCEPT} image/webp
# AND NOT MS EDGE 42/17 - doesnt work.
	RewriteCond %{HTTP_USER_AGENT} !Edge/17
# AND is the request a jpg, png or gif?
	RewriteCond %{REQUEST_URI} ^(.+)\.(?:jpe?g|png|gif)$
# AND does a .ext.webp image exist?
	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI}.webp -f
# THEN send the webp image and set the env var webp
	RewriteRule ^(.+)$ $1.webp [NC,T=image/webp,E=webp,L]
##### IF NOT, try the file with replaced extension (test.webp) #####
	RewriteCond %{HTTP_USER_AGENT} Chrome [OR]
	RewriteCond %{HTTP_USER_AGENT} "Google Page Speed Insights" [OR]
	RewriteCond %{HTTP_ACCEPT} image/webp
	RewriteCond %{HTTP_USER_AGENT} !Edge/17
# AND is the request a jpg, png or gif? (also grab the basepath %1 to match in the next rule)
	RewriteCond %{REQUEST_URI} ^(.+)\.(?:jpe?g|png|gif)$
# AND does a .webp image exist?
	RewriteCond %{DOCUMENT_ROOT}/%1.webp -f
# THEN send the webp image and set the env var webp
	RewriteRule (.+)\.(?:jpe?g|png|gif)$ $1.webp [NC,T=image/webp,E=webp,L]
</IfModule>
<IfModule mod_headers.c>
# If REDIRECT_webp env var exists, append Accept to the Vary header
	Header append Vary Accept env=REDIRECT_webp
</IfModule>
<IfModule mod_mime.c>
	AddType image/webp .webp
</IfModule>

# END ShortPixelWebp

# BEGIN WP-Optimize Gzip compression
<IfModule mod_filter.c>
	<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
		AddType application/vnd.ms-fontobject .eot
		AddType font/ttf .ttf
		AddType font/otf .otf
		AddType font/x-woff .woff
		AddType image/svg+xml .svg
		
		AddOutputFilterByType DEFLATE application/javascript
		AddOutputFilterByType DEFLATE application/rss+xml
		AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
		AddOutputFilterByType DEFLATE application/x-font
		AddOutputFilterByType DEFLATE application/x-font-opentype
		AddOutputFilterByType DEFLATE application/x-font-otf
		AddOutputFilterByType DEFLATE application/x-font-truetype
		AddOutputFilterByType DEFLATE application/x-font-ttf
		AddOutputFilterByType DEFLATE application/x-font-woff
		AddOutputFilterByType DEFLATE application/x-javascript
		AddOutputFilterByType DEFLATE application/xhtml+xml
		AddOutputFilterByType DEFLATE application/xml
		AddOutputFilterByType DEFLATE font/opentype
		AddOutputFilterByType DEFLATE font/otf
		AddOutputFilterByType DEFLATE font/ttf
		AddOutputFilterByType DEFLATE font/woff
		AddOutputFilterByType DEFLATE image/svg+xml
		AddOutputFilterByType DEFLATE image/x-icon
		AddOutputFilterByType DEFLATE text/css
		AddOutputFilterByType DEFLATE text/html
		AddOutputFilterByType DEFLATE text/javascript
		AddOutputFilterByType DEFLATE text/plain
		AddOutputFilterByType DEFLATE text/xml
		
# Remove browser bugs (only needed for really old browsers)
		BrowserMatch ^Mozilla/4 gzip-only-text/html
		BrowserMatch ^Mozilla/4\.0[678] no-gzip
		BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
		<IfModule mod_headers.c>
			Header append Vary User-Agent
		</IfModule>
	</IfModule>
</IfModule>
# END WP-Optimize Gzip compression

# BEGIN WordPress
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
</IfModule>

# END WordPress



 

    

    
	

            




                    

                

                
                



        


    


    

	


    

            

            website 
            creatie 
            yourstyle
            

    
        




        

            

                
Kan ik je helpen?

            

            

                                
1

                            

        




        🚀 by Yourstyle
        

        Mitchell Bakker  |   06 - 514 656 03
        Goedenacht, waar kan ik je op dit moment het beste mee helpen?