# ---------------------------------
# | Block IP Addresses
# ---------------------------------

<Limit GET POST>
order allow,deny

deny from 11.22.33.44
deny from 22.33.44.

# OPERA VPN
deny from 77.111.244.
deny from 77.111.245.
deny from 77.111.246.
deny from 77.111.247.

# CENSYS SCANNER
deny from 74.120.14.
deny from 162.142.125.
deny from 167.248.133.
deny from 192.35.168.

allow from all
</Limit>

# ---------------------------------
# | Block & Redirect IP Addresses
# ---------------------------------

RewriteCond %{REMOTE_ADDR} ^11\.22\.33\.44 [OR]
RewriteCond %{REMOTE_ADDR} ^22\.33\.44\.55 [OR]
RewriteCond %{REMOTE_ADDR} ^33\.44\.55\.66
RewriteRule ^/* https://www.google.com [R=301,L]

# ---------------------------------
# | Block & Redirect referring URLs
# ---------------------------------

RewriteCond %{HTTP_REFERER} .*somedodgywebsite.com.*$ [OR]
RewriteCond %{HTTP_REFERER} .*someotherdodgywebsite.com.*$
RewriteRule ^(.*)$ https://google.com [R=301,L]

# ---------------------------------
# | 301 Redirects
# ---------------------------------

#RewriteCond %{ENV:REDIRECT_STATUS} !^401$
#RewriteRule ^old_url.html$ http://www.example.com/new_url.html [R=301,L]

# ---------------------------------
# | Security Headers - Scan at https://securityheaders.com
# | Use with caution, errors can break your store!
# | https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# | https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# | https://content-security-policy.com/examples/
# | https://report-uri.com/home/generate
# ---------------------------------

<IfModule mod_headers.c>

Header set Connection keep-alive
Header always unset X-Powered-By
Header unset ETag
Header unset Last-Modified

# These need to be tailored for your individual site...

#Header set X-XSS-Protection "1; mode=block"
#Header set X-Content-Type-Options nosniff
#Header always append X-Frame-Options SAMEORIGIN
#Header set Referrer-Policy "same-origin"
#Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
#Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
#Header add Content-Security-Policy "default-src 'self';"
#Header set Permissions-Policy: geolocation=(self "https://www.example.com"), microphone=()

</IfModule>

FileETag None

# ---------------------------------
# | Disable Directory Indexes
# ---------------------------------

Options -MultiViews

# ---------------------------------
# | Optional force HTTPS
# ---------------------------------

#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#</IfModule>

# ---------------------------------
# | Optional suppress or force .www to prevent duplicate content
# | WARNING: Use only one option below, not both!
# ---------------------------------

# OPTION 1) SUPPRESS WWW.
#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
#RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
#</IfModule>

# OPTION 2) FORCE WWW.
#<IfModule mod_rewrite.c>
#RewriteEngine On
#RewriteCond %{HTTPS} !=on
#RewriteCond %{HTTP_HOST} !^www\. [NC]
#RewriteCond %{SERVER_ADDR} !=127.0.0.1
#RewriteCond %{SERVER_ADDR} !=::1
#RewriteRule ^ %{ENV:PROTO}://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#</IfModule>

# ---------------------------------
# | Block access to sensitive folders
# ---------------------------------

#RedirectMatch permanent ^.*/.pgp/.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/patch.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/sql/.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/schemes/.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/skin_backup/.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/Smarty.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/upgrade/.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/var/.*$ https://www.example.com/error_message.php

# ---------------------------------
# | Block access to sensitive file types
# ---------------------------------

#RedirectMatch permanent ^.*.(ini|tpl|sql|log|conf|bak)$ https://www.example.com/error_message.php

# ---------------------------------
# | Block access to sensitive files
# ---------------------------------

#RedirectMatch permanent ^.*/COPYRIGHT https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/CHANGELOG https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/INSTALL.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/NEW.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/README https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/UPGRADE.*$ https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/VERSION https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/include/version.php https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/config.php https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/top.inc.php https://www.example.com/error_message.php
#RedirectMatch permanent ^.*/install.php$ https://www.example.com/error_message.php

# ---------------------------------
# | Enable Compression
# ---------------------------------

<IfModule mod_deflate.c>
  # Compress HTML, CSS, JavaScript, Text, XML and fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Remove browser bugs (only needed for really old browsers)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>

<IfModule mod_mime.c>
    AddType text/css .css
    AddType text/x-component .htc
    AddType application/x-javascript .js
    AddType application/javascript .js2
    AddType text/javascript .js3
    AddType text/x-js .js4
    AddType text/html .html .htm
    AddType text/richtext .rtf .rtx
    AddType image/svg+xml .svg
    AddType text/plain .txt
    AddType text/xsd .xsd
    AddType text/xsl .xsl
    AddType text/xml .xml
    AddType video/asf .asf .asx .wax .wmv .wmx
    AddType video/avi .avi
    AddType image/bmp .bmp
    AddType application/java .class
    AddType video/divx .divx
    AddType application/msword .doc .docx
    AddType application/vnd.ms-fontobject .eot
    AddType application/x-msdownload .exe
    AddType image/gif .gif
    AddType application/x-gzip .gz .gzip
    AddType image/x-icon .ico
    AddType image/jpeg .jpg .jpeg .jpe
    AddType image/webp .webp
    AddType application/json .json
    AddType application/vnd.ms-access .mdb
    AddType audio/midi .mid .midi
    AddType video/quicktime .mov .qt
    AddType audio/mpeg .mp3 .m4a
    AddType video/mp4 .mp4 .m4v
    AddType video/mpeg .mpeg .mpg .mpe
    AddType video/webm .webm
    AddType application/vnd.ms-project .mpp
    AddType application/x-font-otf .otf
    AddType application/vnd.ms-opentype ._otf
    AddType application/vnd.oasis.opendocument.database .odb
    AddType application/vnd.oasis.opendocument.chart .odc
    AddType application/vnd.oasis.opendocument.formula .odf
    AddType application/vnd.oasis.opendocument.graphics .odg
    AddType application/vnd.oasis.opendocument.presentation .odp
    AddType application/vnd.oasis.opendocument.spreadsheet .ods
    AddType application/vnd.oasis.opendocument.text .odt
    AddType audio/ogg .ogg
    AddType application/pdf .pdf
    AddType image/png .png
    AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
    AddType audio/x-realaudio .ra .ram
    AddType image/svg+xml .svg .svgz
    AddType application/x-shockwave-flash .swf
    AddType application/x-tar .tar
    AddType image/tiff .tif .tiff
    AddType application/x-font-ttf .ttf .ttc
    AddType application/vnd.ms-opentype ._ttf
    AddType audio/wav .wav
    AddType audio/wma .wma
    AddType application/vnd.ms-write .wri
    AddType application/font-woff .woff
    AddType application/font-woff2 .woff2
    AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
    AddType application/zip .zip
</IfModule>

# ---------------------------------
# | Leverage Browser Caching
# ---------------------------------

<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 week"

ExpiresByType text/css "access plus 1 month"

ExpiresByType application/atom+xml "access plus 1 hour" 
ExpiresByType application/rdf+xml "access plus 1 hour"
ExpiresByType application/rss+xml "access plus 1 hour" 

ExpiresByType application/json "access plus 30 seconds"
ExpiresByType application/ld+json "access plus 0 seconds"
ExpiresByType application/schema+json "access plus 0 seconds"
ExpiresByType application/vnd.geo+json "access plus 0 seconds"
ExpiresByType application/xml "access plus 0 seconds"
ExpiresByType text/xml "access plus 0 seconds" 

ExpiresByType image/x-icon "access plus 1 month"
ExpiresByType image/vnd.microsoft.icon "access plus 1 month"

ExpiresByType text/html "access plus 1 minute"

ExpiresByType text/javascript "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 months"
ExpiresByType application/x-javascript "access plus 1 months"

ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/svg "access plus 1 month" 
ExpiresByType image/svg+xml "access plus 1 month" 
ExpiresByType image/bmp "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"

ExpiresByType audio/ogg "access plus 1 month" 

ExpiresByType video/mp4 "access plus 1 month" 
ExpiresByType video/ogg "access plus 1 month" 
ExpiresByType video/webm "access plus 1 month" 

ExpiresByType text/plain "access plus 1 month"
ExpiresByType text/x-component "access plus 1 month" 

ExpiresByType application/manifest+json "access plus 1 week"
ExpiresByType application/x-web-app-manifest+json "access plus 0 seconds"
ExpiresByType text/cache-manifest "access plus 0 seconds"

ExpiresByType application/pdf "access plus 1 month"

ExpiresByType application/x-shockwave-flash "access plus 1 month"

ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
ExpiresByType font/eot "access plus 1 month"
ExpiresByType font/opentype "access plus 1 month" 
ExpiresByType application/x-font-ttf "access plus 1 month" 
ExpiresByType application/font-woff "access plus 1 month" 
ExpiresByType application/font-woff2 "access plus 1 month"
ExpiresByType application/x-font-woff "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"

</IfModule>