<IfModule mod_mime.c>
    AddType application/javascript js mjs
    AddType application/manifest+json webmanifest
    AddType application/json map
    AddCharset utf-8 .appcache \
    .atom \
    .css \
    .js \
    .json \
    .manifest \
    .map \
    .mjs \
    .rdf \
    .rss \
    .vtt \
    .webmanifest \
    .xml
</IfModule>

<IfModule mod_expires.c>
    ExpiresActive on
    ExpiresDefault "access plus 1 year"
    ExpiresByType text/cache-manifest "access plus 0 seconds"
    
    <Files "favicon.ico">
        ExpiresByType image/x-icon "access plus 1 hour"
    </Files>
    
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType application/atom+xml "access plus 1 hour"
    ExpiresByType application/rdf+xml "access plus 1 hour"
    ExpiresByType application/rss+xml "access plus 1 hour"
    ExpiresByType application/json "access plus 0 seconds"
    ExpiresByType application/ld+json "access plus 0 seconds"
    ExpiresByType application/schema+json "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json "access plus 0 seconds"
    ExpiresByType text/xml "access plus 0 seconds"
    ExpiresByType text/html "access plus 0 seconds"
</IfModule>

<Files xmlrpc.php>
    Require all denied
</Files>
<Files wp-comments-post.php>
    Require all denied
</Files>
<Files wp-config.php>
    Require all denied
</Files>

<IfModule mod_headers.c>
    Header set Content-Security-Policy "connect-src 'self'; object-src 'none'; upgrade-insecure-requests; block-all-mixed-content;"
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "microphone=(), camera=()"
    Header always set Cross-Origin-Embedder-Policy "require-corp"
    Header always set Cross-Origin-Opener-Policy "same-origin"
    Header always set Cross-Origin-Resource-Policy "same-origin"
    
    <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ic[os]|jpe?g|m?js|json(ld)?|m4[av]|manifest|map|markdown|md|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xpi)$">
        Header unset X-UA-Compatible
    </FilesMatch>
    
    Header unset X-Powered-By
    Header unset X-AspNet-Version
    Header unset X-AspNetMvc-version
</IfModule>