# HexaHost.de .htaccess
# Sicherheit und Performance-Optimierungen
# Sicherheitsheader
Header always set X-Content-Type-Options nosniff
# X-Frame-Options entfernt, da sonst Tag Assistant (Iframe) nicht funktionieren kann.
# Absicherung erfolgt stattdessen granular über CSP frame-ancestors.
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
# Content Security Policy - Schutz vor XSS und Code-Injection
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://cdn.hexahost.de https://www.google-analytics.com https://www.googletagmanager.com data:; connect-src 'self' https://www.googletagmanager.com https://www.google.com https://www.google-analytics.com https://region1.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self' https://tagassistant.google.com; base-uri 'self'; form-action 'self'"
# Strict-Transport-Security (HSTS) - Erzwingt HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# HTTPS erzwingen (falls SSL verfügbar)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(www\.)?(hexahost\.de|dev\.hexahost\.de)$ [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# PHP-Endung aus URLs entfernen
# Schritt 1: Wenn .php in URL, weiterleiten auf saubere URL (301)
RewriteCond %{THE_REQUEST} \s/([^.]+)\.php[\s?] [NC]
RewriteCond %{REQUEST_URI} !^/(contact-handler|config/)
RewriteRule ^(.+)\.php$ /$1 [R=301,L]
# Schritt 2: index.php zur Startseite weiterleiten
RewriteCond %{THE_REQUEST} \s/index\.php[\s?] [NC]
RewriteRule ^index\.php$ / [R=301,L]
# Schritt 3: Saubere URLs intern auf .php-Dateien umleiten
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+)$ $1.php [L]
# HTML zu PHP Weiterleitungen (Legacy-Support)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^\.]+)\.html$ $1 [L,R=301]
# Konfigurationsdateien schützen
Order allow,deny
Deny from all
# Config-Verzeichnis schützen
RewriteRule ^config/ - [F,L]
# Includes-Verzeichnis schützen (direkter Zugriff verhindern)
RewriteRule ^includes/ - [F,L]
# Logs-Verzeichnis schützen
RewriteRule ^logs/ - [F,L]
# Cache-Header für statische Dateien
ExpiresActive On
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/svg+xml "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"
ExpiresByType font/woff "access plus 1 month"
ExpiresByType font/woff2 "access plus 1 month"
# Gzip-Kompression
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
# PHP-Einstellungen
php_value upload_max_filesize 10M
php_value post_max_size 10M
php_value max_execution_time 30
php_value memory_limit 128M
# Fehlerbehandlung
ErrorDocument 400 /404.php
ErrorDocument 401 /404.php
ErrorDocument 403 /404.php
ErrorDocument 404 /404.php
ErrorDocument 500 /500.php
ErrorDocument 502 /500.php
ErrorDocument 503 /500.php
# Verzeichnis-Listing deaktivieren
Options -Indexes
# Datei-Zugriff beschränken
Order Allow,Deny
Deny from all
# Spezifische Ausnahmen für benötigte XML-Dateien
Order Allow,Deny
Allow from all