# rewrite rules
<IfModule mod_rewrite.c>
	# these are required for "per-directory rewrites"
	Options FollowSymLinks
	RewriteEngine On

	# uncomment following line if your webserver's URL is not directly related to physical file paths.
	RewriteBase /

	# disable image 'hotlinking': https://httpd.apache.org/docs/current/rewrite/access.html
	RewriteCond "%{HTTP_REFERER}" "!^$"
	RewriteCond "%{HTTP_REFERER}" "!www.qbittorrent.org" [NC]
	RewriteRule "\.(gif|jpg|png|svg)$" "-" [NC,F]

	# redirect `/file.php` to `/file`
	RewriteCond %{REQUEST_URI} ^/([^.]+)\.php$ [NC]
	RewriteRule ^(.*)$ /%1 [L,R=301]

	# under the hood, map `/file` back to `/file.html`
	RewriteCond %{REQUEST_FILENAME}.html -f
	RewriteRule ^(.*)$ %{REQUEST_URI}.html

	# redirect http -> https
	RewriteCond %{HTTPS} off
	RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [END,R=301]

	# redirect from top level domain to www
	RewriteCond %{HTTP_HOST} !^www\. [NC]
	RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [L,R=301]
</IfModule>

<IfModule mod_headers.c>
	Header always set Strict-Transport-Security "max-age=31536000"

	Header always set X-Frame-Options "SAMEORIGIN"
	Header always set X-XSS-Protection "1; mode=block"
	Header always set X-Content-Type-Options "nosniff"

	Header always set Referrer-Policy "same-origin"
</IfModule>

# control "max-age" & "Cache-Control" in HTTP header
<IfModule mod_expires.c>
	# for etag, exclude INode
	FileETag All -INode

	ExpiresActive On
	ExpiresDefault "access plus 7 days"

	ExpiresByType application/atom+xml "access plus 2 hour"
	ExpiresByType text/css  "access plus 2 hours"
	ExpiresByType text/html "access plus 2 hours"
</IfModule>
