RewriteEngine On
# Redirect to no-WWW
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ http://%1%{REQUEST_URI} [R=301,QSA,NC,L]
# Redirect to WWW
#RewriteCond %{HTTP_HOST} !^www\. [NC]
#RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Redirect to HTTPS
RewriteCond %{HTTP:X-Forwarded-Proto} =http
RewriteCond %{HTTPS} off
#RewriteCond %{SERVER_PORT} 80
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# SPDY protocol
#Header add Alternate-Protocol "443:npn-spdy/3"
# Secure cookies
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
#Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=strict
# Apache < 2.2.4
# Header set Set-Cookie HttpOnly;Secure
# Submit domain to https://hstspreload.org/
Header add Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# XSS-protection
#Header add X-Frame-Options "SAMEORIGIN"
#Header add X-Content-Type-Options "nosniff"
#Header add X-XSS-Protection "1; mode=block"
#Header add Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.getclicky.com *.placehold.it *.ytimg.com *.googlevideo.com *.youtube.com *.youtu.be *.gstatic.com *.googleapis.com *.google-analytics.com cdnjs.cloudflare.com assets.zendesk.com yastatic.net *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com *.windguru.cz; child-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.ytimg.com *.googlevideo.com *.youtu.be *.youtube.com assets.zendesk.com tautt.zendesk.com *.doubleclick.net *.cloudflare.com *.ggpht.com *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com *.simpli.fi omg.mylocalreviewsite.com; object-src 'self' *.oppwa.com *.qit.nu *.pinterest.com *.facebook.net *.facebook.com *.addthisedge.com *.addthis.com *.jotform.com *.jotform.us *.placehold.it *.gstatic.com *.googlevideo.com *.youtube.com *.youtu.be *.cloudflare.com *.ytimg.com *.ggpht.com *.doubleclick.net *.google.com *.googleadservices.com *.linkedin.com *.vimeo.com *.aweber.com"
# Hide software headers
Header unset x-powered-by
ServerSignature Off
#ServerTokens Prod
php_flag expose_php Off
php_flag expose_php Off
### SILVERSTRIPE START ###
# Deny access to templates (but allow from localhost)
Order deny,allow
Deny from all
Allow from 127.0.0.1
# Deny access to IIS configuration
Order deny,allow
Deny from all
# Deny access to YAML configuration files which might include sensitive information
Order allow,deny
Deny from all
# Route errors to static pages automatically generated by SilverStripe
ErrorDocument 404 /assets/error-404.html
ErrorDocument 500 /assets/error-500.html
# Turn off index.php handling requests to the homepage fixes issue in apache >=2.4
DirectoryIndex disabled
DirectorySlash On
SetEnv HTTP_MOD_REWRITE On
RewriteEngine On
# Enable HTTP Basic authentication workaround for PHP running in CGI mode
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Deny access to potentially sensitive files and folders
RewriteRule ^vendor(/|$) - [F,L,NC]
RewriteRule ^\.env - [F,L,NC]
RewriteRule silverstripe-cache(/|$) - [F,L,NC]
RewriteRule composer\.(json|lock) - [F,L,NC]
RewriteRule (error|silverstripe|debug)\.log - [F,L,NC]
# Process through SilverStripe if no file with the requested name exists.
# Pass through the original path as a query parameter, and retain the existing parameters.
# Try finding framework in the vendor folder first
RewriteCond %{REQUEST_URI} ^(.*)$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule .* index.php
### SILVERSTRIPE END ###