﻿# ====================================================================
# HUEWINE â€” Apache .htaccess
# Performance, security and SEO directives for shared/dedicated Apache hosts.
# Safe to remove sections your host doesn't support.
# ====================================================================

# ---------- 1 & 2. Force HTTPS + drop the www (needs mod_rewrite) ----------
<IfModule mod_rewrite.c>
  RewriteEngine On

  # Force HTTPS
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  # Canonical host (drop the www)
  RewriteCond %{HTTP_HOST} ^www\.huewine\.com$ [NC]
  RewriteRule ^(.*)$ https://huewine.com/$1 [L,R=301]
</IfModule>

# ---------- 3. Default document ----------
DirectoryIndex index.html

# ---------- 4. Custom error pages ----------
ErrorDocument 404 /404.html

# ---------- 5. Gzip/Deflate compression ----------
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
  AddOutputFilterByType DEFLATE application/javascript application/json application/xml
  AddOutputFilterByType DEFLATE application/x-javascript application/xhtml+xml
  AddOutputFilterByType DEFLATE image/svg+xml font/woff font/woff2
</IfModule>

# ---------- 6. Brotli compression (if mod_brotli available) ----------
<IfModule mod_brotli.c>
  AddOutputFilterByType BROTLI_COMPRESS text/html text/css text/javascript application/javascript application/json image/svg+xml
</IfModule>

# ---------- 7. Long-cache for static assets ----------
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresDefault                              "access plus 1 month"
  # HTML â€” short cache so updates roll out quickly
  ExpiresByType text/html                     "access plus 1 hour"
  # CSS / JS â€” long cache, but file names should be versioned in real prod
  ExpiresByType text/css                      "access plus 1 year"
  ExpiresByType application/javascript        "access plus 1 year"
  ExpiresByType text/javascript               "access plus 1 year"
  # Images
  ExpiresByType image/png                     "access plus 1 year"
  ExpiresByType image/jpg                     "access plus 1 year"
  ExpiresByType image/jpeg                    "access plus 1 year"
  ExpiresByType image/webp                    "access plus 1 year"
  ExpiresByType image/gif                     "access plus 1 year"
  ExpiresByType image/svg+xml                 "access plus 1 year"
  ExpiresByType image/x-icon                  "access plus 1 year"
  # Fonts
  ExpiresByType font/woff                     "access plus 1 year"
  ExpiresByType font/woff2                    "access plus 1 year"
  ExpiresByType application/font-woff         "access plus 1 year"
  ExpiresByType application/font-woff2        "access plus 1 year"
  # Sitemap / robots â€” daily check
  ExpiresByType application/xml               "access plus 1 day"
  ExpiresByType text/xml                      "access plus 1 day"
</IfModule>

# ---------- 8. Cache-Control headers ----------
<IfModule mod_headers.c>
  # Long-immutable cache for /assets
  <FilesMatch "\.(css|js|png|jpg|jpeg|webp|gif|svg|ico|woff|woff2|ttf|eot)$">
    Header set Cache-Control "public, max-age=31536000, immutable"
  </FilesMatch>
  # Short cache for HTML
  <FilesMatch "\.(html|htm)$">
    Header set Cache-Control "public, max-age=3600, must-revalidate"
  </FilesMatch>

  # ---------- 9. Security headers ----------
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" "expr=%{HTTPS} == 'on'"

  # ---------- 10. Block hotlinking the OG image (optional) ----------
  # SetEnvIfNoCase Referer "^https?://(www\.)?huewine\.com" allowed
  # <FilesMatch "og-default\.jpg">
  #   Order Deny,Allow
  #   Deny from all
  #   Allow from env=allowed
  # </FilesMatch>
</IfModule>

# ---------- 11. Disable directory listing ----------
Options -Indexes

# ---------- 12. Block access to sensitive files ----------
<FilesMatch "\.(env|log|sql|md|yml|yaml|gitignore|gitattributes|htaccess|htpasswd)$">
  Require all denied
</FilesMatch>
# Block access to dev/VCS directories (DirectoryMatch is NOT allowed in .htaccess)
RedirectMatch 403 (?i)(^|/)\.(git|vscode|idea|optimization-backup)(/|$)

# ---------- 13. UTF-8 default ----------
AddDefaultCharset UTF-8
AddCharset UTF-8 .html .css .js .xml .txt

# ---------- 14. MIME types (safety net) ----------
<IfModule mod_mime.c>
  AddType image/webp .webp
  AddType image/svg+xml .svg
  AddType font/woff2 .woff2
  AddType application/manifest+json .webmanifest
</IfModule>


# 301 redirects: legacy /prodect/ -> /products/
RedirectMatch 301 ^/prodect/(.*)$ /products/$1
