# BEGIN Really Simple SSL Redirect 5.3.0
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# END Really Simple SSL Redirect
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
#Customize expires cache start - adjust the period according to your needs
FileETag MTime Size
AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript
ExpiresActive On
ExpiresByType text/html "access 600 seconds"
ExpiresByType application/xhtml+xml "access 600 seconds"
ExpiresByType text/css "access 1 month"
ExpiresByType text/javascript "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType application/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresDefault "access 1 month"
#Expires cache end
# BEGIN Enable Gzip Compression
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
# END Enable Gzip Compression
########## DISABLE DIRECTORY BROWSING
Options All -Indexes
########## PREVENT FOLDER LISTING
IndexIgnore *
########## DISABLES SERVER SIGNATURE
ServerSignature Off
########## BLOCK WP-INCLUDES FOLDER AND FILES
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
########## BLOCK ACCESS TO WP-CONFIG
Order Allow,Deny
Deny from All
########## PREVENT VIEWING OF HTACCESS - INI - LOG - DSSTORE - PHOTOSHOP IMAGES - SHELL
Order allow,deny
Deny from all
Satisfy All
########## PREVENT VIEWING OF ALL HTACCESS DSSTORE SHITE AND _ - RESOURCE FORK FILES
Order allow,deny
Deny from all
Satisfy All
########## PREVENT VIEWING OF ALL LOG AND COMMENT FILES
Order allow,deny
Deny from all
Satisfy All
########## DENY ACCESS TO HIDDEN FILES OR DIRECTORIES BEGINNING WITH A DOT
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
########## PASS THE DEFAULT CHARACTER SET
AddDefaultCharset utf-8
########## DISABLE CACHES AND BROWSERS TO VALIDATE FILES - FORCED TO REPLY ON OUR CACHE-CONTROL AND EXPIRES HEADER
Header unset ETag
########## ONLY ALLOW TO SECURE WHOLE DIRECTORY OR WEBSITE
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
########## PREVENT MIME BASED ATTACKS
Header set X-Content-Type-Options "nosniff"
########## SET XSS PROTECTION HEADER
Header set X-XSS-Protection "1; mode=block"
########## DONT ALLOW ANY PAGES TO BE FRAMED - older browsers - CSRF AND CLICKJACKING PROTECTION
Header set X-Frame-Options "DENY"
########## OPENS SUPPORT TO OLDER BROWSERS THAT SUPPORT X-Content-Security-Policy BUT NOT Content-Security-Policy
Header unset X-Content-Security-Policy
# Header add X-Content-Security-Policy "default-src 'self'"
########## ONLY ALLOW JAVASCRIPT FROM SAME DOMAIN TO BE RUN - DONT ALLOW INLINE JAVASCRIPT TO BE RUN
Header set X-Content-Security-Policy "default-src 'self';"
########## ADD THE ENTIRE CSP KEY VALUE PAIRS THAT YOU WANT BELOW WITH default-src - THIS ACCEPTS CODE FROM THOSE SITES SPECIFIED
Header unset Content-Security-Policy
# Header always set Content-Security-Policy "default-src 'self';frame-ancestors 'none';"
#Header always set Content-Security-Policy "default-src 'self' ammeon.com www.gstatic.com docs.google.com https://connect.facebook.net www.facebook.com oss.maxcdn.com www.google.com https://www.google-analytics.com www.googletagmanager.com fonts.googleapis.com fonts.gstatic.com checkout.stripe.com vars.hotjar.com *.vimeo.com snapwidget.com;frame-ancestors 'none';script-src 'self' 'unsafe-inline' ammeon.com www.gstatic.com connect.facebook.net www.facebook.com facebookmarketingdevelopers.com stats.g.doubleclick.net oss.maxcdn.com www.google.com https://www.google-analytics.com www.googletagmanager.com fonts.googleapis.com fonts.gstatic.com ajax.googleapis.com checkout.stripe.com maxcdn.bootstrapcdn.com rawgit.com use.fontawesome.com cdnjs.cloudflare.com cdn.jsdelivr.net l.getsitecontrol.com s2.getsitecontrol.com *.getsitecontrol.com static.hotjar.com script.hotjar.com webpack://*.hotjar.com *.hotjar.com snapwidget.com;img-src * data:;style-src 'self' 'unsafe-inline' ammeon.com fonts.gstatic.com fonts.googleapis.com gstatic.com maxcdn.bootstrapcdn.com rawgit.com use.fontawesome.com data:;worker-src 'self' fonts.gstatic.com fonts.googleapis.com www.google.com;form-action 'self' ammeon.com docs.google.com;font-src 'self' ammeon.com fonts.gstatic.com fonts.googleapis.com use.fontawesome.com fontawesome.com data:;connect-src 'self' ammeon.com www.google.com www.google.ie www.google.ro www.google-analytics.com checkout.stripe.com stats.g.doubleclick.net l.getsitecontrol.com *.getsitecontrol.com in.hotjar.com *.hotjar.com wss://*.hotjar.com webpack://*.hotjar.com *.hotjar.io yoast.com;object-src 'self' ammeon.com
#;report-uri /csp-violations/"
# Header always set Content-Security-Policy-Report-Only "default-src 'self' ammeon.com www.gstatic.com fonts.googleapis.com https://connect.facebook.net www.google.com https://www.google-analytics.com www.googletagmanager.com oss.maxcdn.com checkout.stripe.com vars.hotjar.com;script-src 'self' 'unsafe-inline' ammeon.com www.gstatic.com connect.facebook.net www.facebook.com facebookmarketingdevelopers.com www.google.com oss.maxcdn.com www.google-analytics.com www.googletagmanager.com fonts.googleapis.com fonts.gstatic.com ajax.googleapis.com checkout.stripe.com maxcdn.bootstrapcdn.com rawgit.com fontawesome.com cdnjs.cloudflare.com cdn.jsdelivr.net l.getsitecontrol.com s2.getsitecontrol.com static.hotjar.com script.hotjar.com;img-src * data:;style-src 'self' 'unsafe-inline' ammeon.com fonts.gstatic.com fonts.googleapis.com gstatic.com maxcdn.bootstrapcdn.com rawgit.com use.fontawesome.com;worker-src 'self' fonts.gstatic.com fonts.googleapis.com www.google.com;form-action 'self' ammeon.com docs.google.com;font-src 'self' ammeon.com fonts.gstatic.com fonts.googleapis.com use.fontawesome.com;connect-src 'self' ammeon.com checkout.stripe.com stats.g.doubleclick.net l.getsitecontrol.com *.getsitecontrol.com in.hotjar.com *.hotjar.com wss://*.hotjar.com webpack://*.hotjar.com;object-src 'self' ammeon.com
#;report-uri /csp-violations/"
Header always set Referrer-Policy "no-referrer"
Header always set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; usb 'none'"
# Header always set Permissions-Policy "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; usb 'none'"
Header always unset Server
Header unset Server
Header always unset X-Powered-By
Header unset X-Powered-By
Header unset X-CF-Powered-By
Header unset X-Mod-Pagespeed
Header unset X-Pingback