Default htaccess with security headers

.htaccess

Options -Indexes

RewriteEngine On

# Force https
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Disable folder navigation
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Add security headers
<IfModule mod_headers.c>
  Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
  Header set Expect-CT: max-age=2592000
  Header set X-Frame-Options: SAMEORIGIN
  Header set Referrer-Policy: "no-referrer"
  Header set X-XSS-Protection: "1; mode=block"
  Header set X-Content-Type-Options: nosniff
  Header set Content-Security-Policy ""
  #TODO: Permissions-Policy: geolocation=(self "https://domain.com"), microphone=()

  Header set X-UA-Compatible "IE=Edge"
  Header unset ETag
  <FilesMatch "\.(js|css|gif|png|jpeg|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$" >
    Header unset X-UA-Compatible
  </FilesMatch>
</IfModule>
FileETag None

# Gzip compress content
<ifModule mod_deflate.c>
    <filesMatch "\.(js|css|html|php)$">
        SetOutputFilter DEFLATE
    </filesMatch>
</ifModule>

# Expires caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 10 days"
</IfModule>