# ─────────────────────────────────────────────────────────────────────────────
# .htaccess — Beck Cabinet Company Portal
# beckportal.com · cPanel / Apache + Node.js (Phusion Passenger)
# ─────────────────────────────────────────────────────────────────────────────
# ── Passenger (cPanel Node.js) ────────────────────────────────────────────────
# Tells Apache to hand all requests to Node.js via Phusion Passenger.
# cPanel's "Setup Node.js App" tool may add this automatically, but including
# it here ensures it's always present.
PassengerNodejs /usr/local/bin/node
PassengerStartupFile server.js
PassengerAppEnv production
# ── Rewrite engine ────────────────────────────────────────────────────────────
RewriteEngine On
# ── Force HTTPS ───────────────────────────────────────────────────────────────
# Redirect all plain HTTP traffic to HTTPS.
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ── Force non-www ─────────────────────────────────────────────────────────────
# Redirect www.beckportal.com → beckportal.com
RewriteCond %{HTTP_HOST} ^www\.beckportal\.com$ [NC]
RewriteRule ^ https://beckportal.com%{REQUEST_URI} [L,R=301]
# ── Route everything to Node.js ───────────────────────────────────────────────
# Pass all requests to Passenger / Node.js unless the file physically exists
# (covers logo.png, portal.html, etc. in the public/ folder).
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ server.js [L]
# ── Security headers ──────────────────────────────────────────────────────────
# Prevent browsers from MIME-sniffing the response
Header always set X-Content-Type-Options "nosniff"
# Block clickjacking
Header always set X-Frame-Options "DENY"
# Enable browser XSS protection
Header always set X-XSS-Protection "1; mode=block"
# Only send the referrer on same-origin requests
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# HTTPS-only for 1 year (only active over HTTPS)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
# Restrict what can be loaded in the portal
# - default-src: only this domain
# - script-src: this domain + Google Fonts JS (if used)
# - style-src: this domain + Google Fonts CSS
# - img-src: this domain + data URIs (for inline SVG/watermark)
# - connect-src: this domain (API calls)
# - font-src: this domain + Google Fonts
# Adjust if you add third-party scripts later.
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self';"
# ── Protect sensitive files ───────────────────────────────────────────────────
# Block direct access to .env, config files, scripts, and logs.
Order allow,deny
Deny from all
Order allow,deny
Deny from all
# Block access to the scripts directory directly
RewriteRule ^scripts/ - [F,L]
# ── Prevent directory listing ─────────────────────────────────────────────────
Options -Indexes
# ── Cache static assets ───────────────────────────────────────────────────────
ExpiresActive On
# Logo and images — 30 days
ExpiresByType image/png "access plus 30 days"
ExpiresByType image/jpeg "access plus 30 days"
ExpiresByType image/svg+xml "access plus 30 days"
# Fonts — 1 year
ExpiresByType font/woff2 "access plus 1 year"
ExpiresByType font/woff "access plus 1 year"
# HTML — always revalidate (portal data changes frequently)
ExpiresByType text/html "access plus 0 seconds"
# ── Compression ───────────────────────────────────────────────────────────────
AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json