.htaccess

5.08 KB
06/11/2025 15:33
HTACCESS
.htaccess
Raw Download
# E-commerce Root .htaccess Configuration
# Handles routing for different deployment scenarios

RewriteEngine On

# Forward Authorization header to PHP (Fix for JWT authentication)
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

# Enable CGI/FastCGI Authorization header pass-through
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

# Security Headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Disable CSP temporarily to allow Google Fonts
# Header always set Content-Security-Policy "default-src 'self'; font-src 'self' https://fonts.gstatic.com data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; style-src-elem 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; img-src 'self' data: https:; connect-src 'self';"

# API Routes - Route to API entry point
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^api/(.*)$ api/public/index.php [QSA,L]

# Admin Frontend Routes - Serve admin static files first
# Allow admin static files (CSS, JS, images) to be served directly
RewriteCond %{REQUEST_URI} ^/admin/(assets|css|js|images)/
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule .* - [L]

# Allow direct access to font files and CSS from external sources
RewriteCond %{REQUEST_URI} \.(woff|woff2|ttf|otf|eot|css)$ [NC]
RewriteRule .* - [L]

# Admin Backend API Routes - Route to Admin API endpoints
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^admin/api/(.*)$ api/public/admin.php [QSA,L]

# Admin Frontend Routes - Fallback to admin index.html for all other admin routes
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^admin/(.*)$ admin/index.html [QSA,L]

# Admin Root - Direct admin access redirects to index
RewriteRule ^admin/?$ admin/index.html [QSA,L]

# Frontend Routes - Serve static files or fallback to index.html
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/(api|admin)/
RewriteRule ^(.*)$ index.html [QSA,L]

# Enable compression for better performance
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    # Font files (except already compressed formats)
    AddOutputFilterByType DEFLATE font/ttf
    AddOutputFilterByType DEFLATE font/otf
    AddOutputFilterByType DEFLATE application/font-ttf
    AddOutputFilterByType DEFLATE application/font-otf
    AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

# Cache static assets
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType application/json "access plus 1 hour"
    # Font files
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType application/font-woff "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType font/otf "access plus 1 year"
    ExpiresByType application/font-ttf "access plus 1 year"
    ExpiresByType application/font-otf "access plus 1 year"
</IfModule>

# CORS for fonts and external resources
<IfModule mod_headers.c>
    # Allow cross-origin requests for fonts
    <FilesMatch "\.(woff|woff2|ttf|otf|eot)$">
        Header set Access-Control-Allow-Origin "*"
        Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
        Header set Access-Control-Allow-Headers "Content-Type, Authorization"
    </FilesMatch>

    # Allow cross-origin requests for CSS (for Google Fonts)
    <FilesMatch "\.css$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

# Prevent hotlinking of images
#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^https?://(www\.)?yourdomain\.com [NC]
#RewriteRule \.(jpg|jpeg|png|gif|webp)$ - [F]

# Limit request size (50MB for file uploads)
LimitRequestBody 52428800