# Disable caching for Elementor
SetEnvIf Request_URI ".*elementor.*" no_cache
SetEnvIf Request_URI ".*wp-admin.*" no_cache
SetEnvIf Request_URI ".*wp-json.*" no_cache
Header set Cache-Control "no-cache, no-store, must-revalidate" env=no_cache
Header set Pragma "no-cache" env=no_cache
Header set Expires "0" env=no_cache
# FIX 500 ERRORS AND AJAX ISSUES
php_value memory_limit 512M
php_value max_execution_time 300
php_value max_input_time 300
php_value max_input_vars 3000
php_value upload_max_filesize 64M
php_value post_max_size 64M
php_flag display_errors off
php_flag log_errors on
php_value memory_limit 512M
php_value max_execution_time 300
php_value max_input_time 300
php_value max_input_vars 3000
php_value upload_max_filesize 64M
php_value post_max_size 64M
php_flag display_errors off
php_flag log_errors on
# FIX MOD_SECURITY BLOCKING
SecFilterEngine Off
SecFilterScanPOST Off
# FIX CORS FOR AJAX
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-WP-Nonce"
# ==============================================
# ELEMENTOR REST API & SECURITY FIXES
# ==============================================
# FIX FOR ELEMENTOR REST API
php_flag display_errors off
php_flag log_errors on
php_flag display_errors off
php_flag log_errors on
# Prevent HTML output in REST API
Header set Content-Type "application/json; charset=UTF-8"
Header unset X-Powered-By
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
# ALLOW REST API
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-WP-Nonce"
# Fix SSL/HTTPS for CDN
SetEnvIf X-Forwarded-Proto https HTTPS=on
# Fix CORS for Elementor REST API
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization, X-WP-Nonce, X-Requested-With"
Header set Access-Control-Allow-Credentials "true"
# Increase timeout for Elementor
Header set Keep-Alive "timeout=300, max=100"
# Fix authentication headers through CDN
RewriteCond %{HTTP:X-Forwarded-Proto} =https
RewriteRule .* - [E=HTTPS:on]
# Increase PHP limits for Elementor
php_value max_execution_time 300
php_value max_input_time 300
php_value upload_max_filesize 64M
php_value post_max_size 64M
# Custom PHP Settings
php_value max_input_vars 5000
php_value memory_limit 512M
php_value max_execution_time 300
# BEGIN LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
RewriteEngine on
CacheLookup on
RewriteRule .* - [E=Cache-Control:no-autoflush]
RewriteRule litespeed/debug/.*\.log$ - [F,L]
RewriteRule \.litespeed_conf\.dat - [F,L]
### marker ASYNC start ###
RewriteCond %{REQUEST_URI} /wp-admin/admin-ajax\.php
RewriteCond %{QUERY_STRING} action=async_litespeed
RewriteRule .* - [E=noabort:1]
### marker ASYNC end ###
### marker WEBP start ###
RewriteCond %{HTTP_ACCEPT} image/webp [OR]
RewriteCond %{HTTP_USER_AGENT} iPhone\ OS\ (1[4-9]|[2-9][0-9]) [OR]
RewriteCond %{HTTP_USER_AGENT} Firefox/([6-9][0-9]|[1-9][0-9]{2,})
RewriteRule .* - [E=Cache-Control:vary=%{ENV:LSCACHE_VARY_VALUE}+webp]
### marker WEBP end ###
### marker DROPQS start ###
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
CacheKeyModify -qs:_ga
### marker DROPQS end ###
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END LSCACHE
# BEGIN NON_LSCACHE
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
## LITESPEED WP CACHE PLUGIN - Do not edit the contents of this block! ##
# END NON_LSCACHE
# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
# Security and performance headers
# Fix CORS for Elementor
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header set Access-Control-Allow-Headers "Content-Type, Authorization"
# Increase timeout for Elementor
Header set Keep-Alive "timeout=300, max=100"
CacheKeyModify -qs:fbclid
CacheKeyModify -qs:gclid
CacheKeyModify -qs:utm*
# ==============================================
# COMPREHENSIVE CONTENT SECURITY POLICY
# ==============================================
# Remove all old CSP headers first
Header unset Content-Security-Policy
Header unset Content-Security-Policy-Report-Only
Header unset X-Content-Security-Policy
Header unset X-WebKit-CSP
# Set new comprehensive CSP
Header set Content-Security-Policy "
default-src 'self';
script-src 'self' 'unsafe-inline' 'unsafe-eval'
https://sitebehaviour-cdn.fra1.cdn.digitaloceanspaces.com
https://www.googletagmanager.com
https://www.google-analytics.com
https://ssl.google-analytics.com
https://accounts.google.com
https://apis.google.com
https://api.anychat.one
https://b.chatconnect.cloud
https://*.googletagmanager.com
https://*.google-analytics.com
https://*.googleapis.com
https://*.gstatic.com;
style-src 'self' 'unsafe-inline'
https://fonts.googleapis.com
https://*.googleapis.com
https://*.gstatic.com;
font-src 'self'
https://fonts.gstatic.com
https://*.gstatic.com;
img-src 'self' data:
https:;
connect-src 'self'
https://sitebehaviour.io
https://sitebehaviour-cdn.fra1.cdn.digitaloceanspaces.com
https://event-store.sitebehaviour.com
https://api-eu.mixpanel.com
https://*.google-analytics.com
https://*.analytics.google.com
https://*.googletagmanager.com
https://*.googleapis.com
wss://*.sitebehaviour.com;
frame-src 'self'
https://accounts.google.com
https://*.googletagmanager.com
https://www.googletagmanager.com;
worker-src 'self' blob:;
manifest-src 'self';
media-src 'self';
object-src 'none';
base-uri 'self';
form-action 'self';
frame-ancestors 'self';
block-all-mixed-content;
upgrade-insecure-requests;
"
# Report-only mode for testing (optional)
# Header set Content-Security-Policy-Report-Only "...same as above..." env=DEV_MODE