# SecureBit.chat - Apache Configuration # Comprehensive caching configuration for forced updates # ============================================ # MIME TYPES - MUST BE FIRST (before other rules) # ============================================ # Critical: Set MIME types BEFORE any other rules to ensure correct Content-Type headers # JavaScript modules - explicit order matters AddType application/javascript .jsx AddType application/javascript .mjs AddType application/javascript .js AddType application/json .json # Fonts AddType font/woff .woff AddType font/woff2 .woff2 AddType application/font-woff .woff AddType application/font-woff2 .woff2 # Service Worker AddType application/manifest+json .webmanifest # Force Content-Type headers (override any server defaults) # All JavaScript files including JSX - CRITICAL for ES modules Header always set Content-Type "application/javascript; charset=utf-8" # Enable mod_rewrite RewriteEngine On RewriteBase / # ============================================ # CRITICAL FILES - NO CACHING # ============================================ # meta.json - versioning file (never cache) Header set Cache-Control "no-cache, no-store, must-revalidate, max-age=0" Header set Pragma "no-cache" Header set Expires "0" Header set X-Content-Type-Options "nosniff" # HTML files - always fresh Header set Cache-Control "no-cache, no-store, must-revalidate, max-age=0" Header set Pragma "no-cache" Header set Expires "0" # Remove ETag for validation Header unset ETag FileETag None # Service Worker - no cache Header set Cache-Control "no-cache, no-store, must-revalidate, max-age=0" Header set Pragma "no-cache" Header set Expires "0" Header set Service-Worker-Allowed "/" # manifest.json - no cache Header set Cache-Control "no-cache, no-store, must-revalidate, max-age=0" Header set Pragma "no-cache" Header set Expires "0" # ============================================ # STATIC RESOURCES - AGGRESSIVE CACHING # ============================================ # JavaScript files in dist/ - no cache (for updates) Header set Cache-Control "no-cache, no-store, must-revalidate, max-age=0" Header set Pragma "no-cache" Header set Expires "0" Header set X-Content-Type-Options "nosniff" # JavaScript files with hashes in other locations - long cache # Files with hashes in name - cache for one year Header set Cache-Control "public, max-age=31536000, immutable" Header set X-Content-Type-Options "nosniff" # CSS files - long cache Header set Cache-Control "public, max-age=31536000, immutable" # Images - long cache Header set Cache-Control "public, max-age=31536000, immutable" # Fonts - long cache Header set Cache-Control "public, max-age=31536000, immutable" Header set Access-Control-Allow-Origin "*" # Audio/Video - long cache Header set Cache-Control "public, max-age=31536000, immutable" # ============================================ # SECURITY # ============================================ # XSS Protection Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set X-Frame-Options "DENY" # Content Security Policy (frame-ancestors and report-uri only work in HTTP headers, not meta tags) Header set Content-Security-Policy "frame-ancestors 'none'; report-uri /csp-report; report-to csp-endpoint;" # ============================================ # GZIP COMPRESSION # ============================================ # Compress text files AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json application/xml # Compress fonts AddOutputFilterByType DEFLATE font/woff font/woff2 application/font-woff application/font-woff2 # ============================================ # CLOUDFLARE RULES # ============================================ # Cloudflare can cache static files, but should not cache: # - meta.json # - index.html # - sw.js # - manifest.json # These rules are applied at Cloudflare Page Rules level # (see CLOUDFLARE_SETUP.md documentation) # ============================================ # SPA FALLBACK # ============================================ # If file not found, redirect to index.html (for SPA routing) RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !^/meta\.json$ RewriteCond %{REQUEST_URI} !^/sw\.js$ RewriteCond %{REQUEST_URI} !^/manifest\.json$ RewriteRule ^(.*)$ /index.html [L] # ============================================ # LOGGING (optional) # ============================================ # Uncomment for debugging # LogLevel rewrite:trace3