RewriteEngine On RewriteBase / # Force HTTPS RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # Force www → non-www (choose one; this uses non-www canonical) RewriteCond %{HTTP_HOST} ^www\.swadeshidata\.com$ [NC] RewriteRule ^(.*)$ https://swadeshidata.com/$1 [R=301,L] # Remove trailing slash from non-directory URLs RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} (.+)/$ RewriteRule ^ %1 [R=301,L] # Block direct access to data directory RewriteRule ^data/ - [F,L] # Block direct access to PHP files in /api except through intended use # (handled below via FilesMatch) # ── Security Headers ───────────────────────────────────────── # Prevent clickjacking Header always set X-Frame-Options "SAMEORIGIN" # Stop MIME-type sniffing Header always set X-Content-Type-Options "nosniff" # XSS protection (legacy browsers) Header always set X-XSS-Protection "1; mode=block" # Referrer policy Header always set Referrer-Policy "strict-origin-when-cross-origin" # Permissions policy — disable unused browser features Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()" # HTTP Strict Transport Security (HSTS) — 1 year Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # Content Security Policy # Allows: own origin, Google Fonts, Stripe, Anthropic API Header always set Content-Security-Policy "default-src 'self'; \ script-src 'self' 'unsafe-inline' https://js.stripe.com; \ style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; \ font-src 'self' https://fonts.gstatic.com; \ img-src 'self' data: https:; \ connect-src 'self' https://api.anthropic.com https://api.stripe.com https://swadeshidata.com; \ frame-src https://js.stripe.com https://hooks.stripe.com; \ object-src 'none'; \ base-uri 'self'; \ form-action 'self'; \ upgrade-insecure-requests" # Remove server info headers Header always unset X-Powered-By Header always unset Server # Cache-Control for static assets Header set Cache-Control "public, max-age=31536000, immutable" # Cache HTML pages for short time (fresh content) Header set Cache-Control "public, max-age=3600, must-revalidate" # No cache for API responses Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0" Header set Pragma "no-cache" # ── Block Sensitive Files ───────────────────────────────────── Order allow,deny Deny from all # Block access to data/ directory entirely RewriteRule ^data(/.*)?$ - [F,L] # Block access to raw xlsx/xls data files by extension Order allow,deny Deny from all # ── Block Common Attack Patterns ───────────────────────────── # Block SQL injection attempts in query strings RewriteCond %{QUERY_STRING} (\bunion\b.+\bselect\b|\bselect\b.+\bfrom\b|\bdrop\b.+\btable\b) [NC] RewriteRule .* - [F,L] # Block XSS attempts RewriteCond %{QUERY_STRING} ( # ── PHP Security Settings ───────────────────────────────────── php_flag display_errors Off php_flag log_errors On php_flag expose_php Off php_value upload_max_filesize 5M php_value post_max_size 8M php_value max_execution_time 30 php_value session.cookie_httponly 1 php_value session.cookie_secure 1 php_value session.use_strict_mode 1 php_value session.cookie_samesite "Strict" # ── CORS for API ────────────────────────────────────────────── Header set Access-Control-Allow-Origin "https://swadeshidata.com" Header set Access-Control-Allow-Methods "GET, POST, OPTIONS" Header set Access-Control-Allow-Headers "Content-Type, Authorization" # ── Compression ─────────────────────────────────────────────── AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript AddOutputFilterByType DEFLATE application/javascript application/json application/xml AddOutputFilterByType DEFLATE image/svg+xml font/woff2 # ── Custom Error Pages ───────────────────────────────────────── ErrorDocument 403 /index.html ErrorDocument 404 /index.html ErrorDocument 500 /index.html # ── Rate Limiting (basic via mod_evasive if available) ───────── DOSHashTableSize 3097 DOSPageCount 5 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10