# Ocultar headers de servidor Header unset X-Powered-By Header always unset X-Powered-By Header unset Server # Bloquear acceso a archivos sensibles Order allow,deny Deny from all # ============================================================ # Compresion (Brotli si esta, Gzip como fallback) # ============================================================ AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml image/svg+xml font/ttf font/otf application/vnd.ms-fontobject AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml image/svg+xml font/ttf font/otf application/vnd.ms-fontobject # ============================================================ # Cache-Control para estaticos # ============================================================ ExpiresActive On ExpiresDefault "access plus 1 month" # HTML y JSON: no cachear (siempre frescos) ExpiresByType text/html "access plus 0 seconds" ExpiresByType application/json "access plus 0 seconds" ExpiresByType application/manifest+json "access plus 1 day" # CSS y JS: 1 anio (con cache-busting via ?v= o hash de Vite) ExpiresByType text/css "access plus 1 year" ExpiresByType application/javascript "access plus 1 year" ExpiresByType text/javascript "access plus 1 year" # Imagenes: 1 anio ExpiresByType image/png "access plus 1 year" ExpiresByType image/jpeg "access plus 1 year" ExpiresByType image/webp "access plus 1 year" ExpiresByType image/avif "access plus 1 year" ExpiresByType image/svg+xml "access plus 1 year" ExpiresByType image/x-icon "access plus 1 year" ExpiresByType image/vnd.microsoft.icon "access plus 1 year" # Fuentes: 1 anio ExpiresByType font/woff "access plus 1 year" ExpiresByType font/woff2 "access plus 1 year" ExpiresByType application/font-woff "access plus 1 year" ExpiresByType application/font-woff2 "access plus 1 year" ExpiresByType application/vnd.ms-fontobject "access plus 1 year" # Cache largo + immutable para estaticos con hash o version Header set Cache-Control "public, max-age=31536000, immutable" # HTML siempre fresco Header set Cache-Control "no-cache, must-revalidate" # Vary: Accept-Encoding (correcto para CDN/proxies) Header append Vary Accept-Encoding # ============================================================ # Routing Laravel + seguridad # ============================================================ Options -MultiViews -Indexes RewriteEngine On # Forzar HTTPS RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # Bloquear acceso directo a /storage/app RewriteRule ^storage/app/(.*)$ - [F,L] # Handle Authorization Header RewriteCond %{HTTP:Authorization} . RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # Handle X-XSRF-Token Header RewriteCond %{HTTP:x-xsrf-token} . RewriteRule .* - [E=HTTP_X_XSRF_TOKEN:%{HTTP:X-XSRF-Token}] # Redirect Trailing Slashes If Not A Folder... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} (.+)/$ RewriteRule ^ %1 [L,R=301] # Send Requests To Front Controller... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [L]