# BEGIN Really Simple Security Redirect
# Note: The "Really Simple Security" plugin is no longer used.
# This block keeps the HTTPS redirect functionality that the plugin provided.
<IfModule mod_rewrite.c>
RewriteEngine on
# Force HTTPS via Cloudflare header
RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END Really Simple Security Redirect

# Protect sensitive files
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^/?\.user\.ini$
    RewriteRule .* - [F,L,NC]
    RewriteCond %{REQUEST_URI} ^/?wp\-content/+debug\.log$
    RewriteRule .* - [F,L,NC]
</IfModule>

<IfModule !mod_rewrite.c>
    <Files ".user.ini">
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order deny,allow
            Deny from all
        </IfModule>
    </Files>
    <Files "debug.log">
        <IfModule mod_authz_core.c>
            Require all denied
        </IfModule>
        <IfModule !mod_authz_core.c>
            Order deny,allow
            Deny from all
        </IfModule>
    </Files>
</IfModule>

# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
<IfModule LiteSpeed>
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule litespeed/debug/.*\.log$ - [F,L]
RewriteRule \.litespeed_conf\.dat - [F,L]

### marker ASYNC start ###
RewriteCond %{REQUEST_URI} /wp-admin/admin-ajax\.php
RewriteCond %{QUERY_STRING} action=async_litespeed
RewriteRule .* - [E=noabort:1]
### marker ASYNC end ###

### marker MOBILE start ###
RewriteCond %{HTTP_USER_AGENT} Mobile|Android|Silk/|Kindle|BlackBerry|Opera\ Mini|Opera\ Mobi|Opera\ Mobile|Nexus|iOS|iPadOS|Safari|Samsung\ Browser|VivoBrowser|Huawei\ Browser|Chrome|Brave|Line|Edge|Facebook|Apple|Google [NC]
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+ismobile]
### marker MOBILE end ###

### marker NOCACHE COOKIES start ###
RewriteCond %{HTTP_COOKIE} \#\ Core\ WordPress|wordpress_logged_in_|wp\-postpass_|comment_author_|\#\ WooCommerce|woocommerce_cart_hash|woocommerce_items_in_cart|wp_woocommerce_session|Jetpack|jetpack_sso|jetpack_login_post_auth|\#\ Google\ /\ Site\ Kit|googlesitekit|_ga|_gid|_gat|mailchimp_landing_site|mailchimp_user_email|wfwaf\-authcookie\-|printful_session|printful_cart|__stripe_mid|__stripe_sid
RewriteRule .* - [E=Cache-Control:no-cache]
### marker NOCACHE COOKIES end ###

### marker NOCACHE USER AGENTS start ###
RewriteCond %{HTTP_USER_AGENT} Logged\-in|WordPress|wp\-admin|wp\-login|WooCommerce|curl|PostmanRuntime|Googlebot|Bingbot|Yandex|Slurp|DuckDuckBot|Baiduspider [NC]
RewriteRule .* - [E=Cache-Control:no-cache]
### marker NOCACHE USER AGENTS end ###

### marker LOGIN COOKIE start ###
RewriteRule .? - [E="Cache-Vary:,wp-postpass_4b21f4059005b0e68d81e14c25dda150"]
### marker LOGIN COOKIE end ###

### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} image/webp [OR]
RewriteCond %{HTTP_USER_AGENT} iPhone\ OS\ (1[4-9]|[2-9][0-9]) [OR]
RewriteCond %{HTTP_USER_AGENT} Firefox/([6-9][0-9]|[1-9][0-9]{2,})
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###

### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
CacheKeyModify -qs:geo
### marker DROPQS end ###

</IfModule>
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
### marker BROWSER CACHE start ###
<IfModule mod_expires.c>
ExpiresActive on
ExpiresByType application/pdf A31557600
ExpiresByType image/x-icon A31557600
ExpiresByType image/vnd.microsoft.icon A31557600
ExpiresByType image/svg+xml A31557600
ExpiresByType image/jpg A31557600
ExpiresByType image/jpeg A31557600
ExpiresByType image/png A31557600
ExpiresByType image/gif A31557600
ExpiresByType image/webp A31557600
ExpiresByType image/avif A31557600
ExpiresByType video/ogg A31557600
ExpiresByType audio/ogg A31557600
ExpiresByType video/mp4 A31557600
ExpiresByType video/webm A31557600
ExpiresByType text/css A31557600
ExpiresByType text/javascript A31557600
ExpiresByType application/javascript A31557600
ExpiresByType application/x-javascript A31557600
ExpiresByType application/x-font-ttf A31557600
ExpiresByType application/x-font-woff A31557600
ExpiresByType application/font-woff A31557600
ExpiresByType application/font-woff2 A31557600
ExpiresByType application/vnd.ms-fontobject A31557600
ExpiresByType font/ttf A31557600
ExpiresByType font/otf A31557600
ExpiresByType font/woff A31557600
ExpiresByType font/woff2 A31557600
</IfModule>
### marker BROWSER CACHE end ###
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE

## Updraft test
RewriteRule .* - [E=noabort:1]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# ========================================
# PRODUCTION CORS POLICY (LiteSpeed)
# ========================================
<IfModule LiteSpeed>
    SetEnvIf Origin "https://(.*\.(apple\.com|audiomack\.com|audius\.co|bandcamp\.com|beatport\.com|bsky\.app|cloudflare\.com|cloudflareinsights\.com|cloudfront\.net|chimpstatic\.com|coinbase\.com|deezer\.com|digitalocean\.com|distrokid\.com|duckduckgo\.com|elementor\.com|elementorcloud\.com|facebook\.com|facebook\.net|gstatic\.com|github\.com|githubusercontent\.com|gnudb\.org|gravatar\.com|hcaptcha\.com|ko-fi\.com|last\.fm|music\.amazon\.com|musicbrainz\.org|napster\.com|pinterest\.com|panduh\.dev|porkbun\.com|printful\.com|reddit\.com|semrush\.com|shortpixel\.com|slant\.so|sniffies\.com|soundcloud\.com|stripe\.com|stripe\.network|tiktok\.com|tiktokcdn\.us\.com|tidal\.com|tumblr\.com|twitch\.tv|wp\.com|wordpress\.com|google-analytics\.com|googletagmanager\.com|instagram\.com|youtube\.com|wincher\.com))" ORIGIN_OK=$0
    Header always set Access-Control-Allow-Origin %{ORIGIN_OK}e env=ORIGIN_OK
    Header always set Access-Control-Allow-Methods "GET, POST, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
    Header always set Access-Control-Allow-Credentials "true"
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]
</IfModule>
# ========================================
# END PRODUCTION CORS POLICY
# ========================================

# BEGIN ShortPixelWebp
# END ShortPixelWebp

# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/frankpanduh.com/public_html/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/frankpanduh.com/public_html/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>
# END Wordfence WAF

# BEGIN Really Simple Security No Index
Options -Indexes
# END Really Simple Security No Index