.htaccess

<IfModule mod_rewrite.c>
RewriteEngine on

#RewriteBase /shopware/

# Fix for office 365 autodiscover feature to prevent CSRF errors
RewriteRule ^autodiscover/autodiscover.xml$ - [F,L,NC]

# HTTPS config for the backend
#RewriteCond %{HTTPS} !=on
#RewriteRule backend/(.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteRule shopware.dll shopware.php
RewriteRule files/documents/.* engine [NC,L]
RewriteRule backend/media/(.*) media/$1 [NC,L]
RewriteRule custom/.*(config|menu|services|plugin)\.xml$ ./shopware.php?controller=Error&action=pageNotFoundError [NC,L]

RewriteCond %{REQUEST_URI} !(\/(engine|files|templates|themes|web)\/)
RewriteCond %{REQUEST_URI} !(\/media\/(archive|banner|image|music|pdf|unknown|video)\/)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ shopware.php [PT,L,QSA]

# Fix missing authorization-header on fast_cgi installations
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</IfModule>

<IfModule mod_alias.c>
    # Restrict access to VCS directories
    RedirectMatch 404 /\\.(svn|git|hg|bzr|cvs)(/|$)

    # Restrict access to root folder files
    RedirectMatch 404 /(autoload\.php|composer\.(json|lock|phar)|README\.md|UPGRADE-(.*)\.md|CONTRIBUTING\.md|eula.*\.txt|\.gitignore|.*\.dist|\.env.*)$

    # Restrict access to shop configs files
    RedirectMatch 404 /(web\/cache\/(config_\d+\.json|all.less))$

    # Restrict access to theme configurations
    RedirectMatch 404 /themes/(.*)(.(lock|package)\.json|\.gitignore|Gruntfile\.js|all\.less|node_modules\/.*)$
</IfModule>

# Staging environment
#SetEnvIf Host "staging.test.shopware.in" SHOPWARE_ENV=staging

# Development environment
#SetEnvIf Host "dev.shopware.in" SHOPWARE_ENV=dev
#SetEnv SHOPWARE_ENV dev

DirectoryIndex index.html
DirectoryIndex index.php
DirectoryIndex shopware.php

# Disables download of configuration
<Files ~ "\.(tpl|yml|ini)$">
    # Deny all requests from Apache 2.4+.
    <IfModule mod_authz_core.c>
          Require all denied
    </IfModule>

    # Deny all requests from Apache 2.0-2.2.
    <IfModule !mod_authz_core.c>
        Deny from all
    </IfModule>
</Files>

# Enable gzip compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/xml text/plain text/css text/javascript application/javascript application/json application/font-woff application/font-woff2 image/svg+xml
</IfModule>

<Files ~ "\.(jpe?g|png|gif|css|js|woff|woff2|ttf|svg|webp|eot|ico)$">
    <IfModule mod_expires.c>
        ExpiresActive on
        ExpiresDefault "access plus 1 month"
    </IfModule>

    <IfModule mod_headers.c>
        Header append Cache-Control "public"
        Header unset ETag
    </IfModule>

    FileETag None
</Files>

# Match generated files like:
# 1429684458_t22_s1.css
# 1429684458_t22_s1.js
<FilesMatch "([0-9]{10})_(.+)\.(js|css)$">
    <ifModule mod_headers.c>
        Header set Cache-Control "max-age=31536000, public"
    </ifModule>

    <IfModule mod_expires.c>
        ExpiresActive on
        ExpiresDefault "access plus 1 year"
    </IfModule>
</FilesMatch>

# Specify CSP header for SVG files - https://docs.shopware.com/en/shopware-5-en/securityupdates/security-update-10-2021
<IfModule mod_headers.c>
    <FilesMatch "\.(?i:svg)$">
        Header set Content-Security-Policy "script-src 'none'"
    </FilesMatch>
</IfModule>

# Disables auto directory index
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

<IfModule mod_negotiation.c>
    Options -MultiViews
</IfModule>

# AddType x-mapp-php7 .php
# AddHandler x-mapp-php7.php

<IfModule mod_headers.c>
    Header append X-Frame-Options SAMEORIGIN
    # Uncomment the following line to enable HSTS (https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and force clients to use HTTPS for at least one year (31536000 seconds)
    # Header always set Strict-Transport-Security "max-age=31536000"
</IfModule>