# Deny access to sensitive files Require all denied # Gzip compression AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json font/ttf font/woff font/woff2 # JS and HTML — always revalidate so code changes are visible immediately. # The script tag ?v= param busts the cache on intentional deploys. Header set Cache-Control "no-cache, must-revalidate" # JSON data files — same: revalidate on every request Header set Cache-Control "no-cache, must-revalidate" # CSS — revalidate (style changes need to show immediately too) Header set Cache-Control "no-cache, must-revalidate" # Fonts — truly immutable; safe to cache for 1 year Header set Cache-Control "public, max-age=31536000, immutable"