Options +FollowSymLinks -MultiViews -Indexes
RewriteEngine On
# Subfolder-safe rewrites:
# - Do not rely on a fixed RewriteBase
# - Stop rewriting direct index.php requests in any directory
RewriteRule ^index\.php$ - [L]

# Error documents
# Tip: If you deploy to a subfolder, using absolute paths like "/404"
# would point to domain root. You can comment these out, or set them to
# your subfolder explicitly (e.g. "/mysub/404").
ErrorDocument 404 /404
ErrorDocument 403 /403

# Only route non-existing files/dirs to the front controller
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L,QSA]

# Allow public assets; block only direct PHP execution in these folders
# Requests are AJAX endpoints and must remain accessible
RewriteRule ^(themes|includes|sources|langs|src)/.*\.(php|phtml|php[0-9]?|phps)$ - [F]

<IfModule mod_deflate.c>

# Komprimiere HTML, CSS, JavaScript, Text, XML und fonts
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
  AddOutputFilterByType DEFLATE text/xml

  # Browser bugs entfernen (nur for wirklich alte Browser)
  BrowserMatch ^Mozilla/4 gzip-only-text/html
  BrowserMatch ^Mozilla/4\.0[678] no-gzip
  BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
  Header append Vary User-Agent
</IfModule>

<IfModule mod_headers.c>
  # Basic security headers (conservative defaults to avoid breaking inline scripts)
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "no-referrer-when-downgrade"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()"
  # Uncomment and tailor CSP after verifying front-end needs
  # Header always set Content-Security-Policy "default-src 'self' data: blob:; img-src 'self' data: blob: *; media-src 'self' data: blob: *; frame-ancestors 'self'"
</IfModule>

<IfModule mod_expires.c>
  ExpiresActive on
  ExpiresDefault "access plus 1 month"
  ExpiresByType image/gif "access plus 1 month"
  ExpiresByType image/png "access plus 1 month"
  ExpiresByType image/jpg "access plus 1 month"
  ExpiresByType image/jpeg "access plus 1 month"
  ExpiresByType text/html "access plus 3 days"
  ExpiresByType text/xml "access plus 1 seconds"
  ExpiresByType text/plain "access plus 1 seconds"
  ExpiresByType application/xml "access plus 1 seconds"
  ExpiresByType application/rss+xml "access plus 1 seconds"
  ExpiresByType application/json "access plus 1 seconds"
  ExpiresByType text/css "access plus 1 week"
  ExpiresByType text/javascript "access plus 1 week"
  ExpiresByType application/javascript "access plus 1 week"
  ExpiresByType application/x-javascript "access plus 1 week"
  ExpiresByType image/x-ico "access plus 1 year"
  ExpiresByType image/x-icon "access plus 1 year"
  ExpiresByType application/pdf "access plus 1 month"
</IfModule>
