Options -Indexes ServerSignature Off # ── Security Headers ── Header always set X-Content-Type-Options "nosniff" Header always set X-XSS-Protection "1; mode=block" Header always set Referrer-Policy "strict-origin-when-cross-origin" # ── PHP Settings ── php_flag display_errors Off php_flag log_errors On # ── Protect config & core files ── Order allow,deny Deny from all RewriteEngine On # Block direct access to core/ directory RewriteRule ^core/ - [F,L] # Block PHP execution inside uploads/ RewriteRule ^uploads/.*\.(php|phtml|pl|py|jsp|asp|sh|cgi)$ - [F,L] # ── Cache static assets ── ExpiresActive On ExpiresByType text/css "access plus 7 days" ExpiresByType application/javascript "access plus 7 days" ExpiresByType image/png "access plus 30 days" ExpiresByType image/jpeg "access plus 30 days" ExpiresByType image/webp "access plus 30 days" ExpiresByType image/svg+xml "access plus 30 days" # ── Gzip Compression ── AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json