# Deny access to sensitive files
Require all denied
# Gzip compression
AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json font/ttf font/woff font/woff2
# JS and HTML — always revalidate so code changes are visible immediately.
# The script tag ?v= param busts the cache on intentional deploys.
Header set Cache-Control "no-cache, must-revalidate"
# JSON data files — same: revalidate on every request
Header set Cache-Control "no-cache, must-revalidate"
# CSS — revalidate (style changes need to show immediately too)
Header set Cache-Control "no-cache, must-revalidate"
# Fonts — truly immutable; safe to cache for 1 year
Header set Cache-Control "public, max-age=31536000, immutable"