release(v1.7.3): lightweight boot pipeline, dramatically faster first paint, deduped /api writes, sturdier uploads/auth

public/.htaccess

@@ -11,11 +11,25 @@ DirectoryIndex index.html
 </IfModule>
 
 RewriteEngine On
-# If you want forced HTTPS behind a proxy, keep this off here and do it at the proxy
+
+# --- HTTPS redirect ---
+# Use ONE of these blocks.
+
+# A) Direct TLS on this server (enable this if Apache terminates HTTPS here)
 #RewriteCond %{HTTPS} off
 #RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 
-# MIME types (fonts/SVG/ESM)
+# B) Behind a reverse proxy/CDN that sets X-Forwarded-Proto
+#RewriteCond %{HTTP:X-Forwarded-Proto} =http [OR]
+#RewriteCond %{HTTP:X-Forwarded-Proto} ^$
+#RewriteCond %{HTTPS} !=on
+#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+
+# Don't interfere with ACME/http-01 if you do your own certs
+#RewriteCond %{REQUEST_URI} ^/.well-known/acme-challenge/
+#RewriteRule - - [L]
+
+# --- MIME types (fonts/SVG/ESM) ---
 <IfModule mod_mime.c>
   AddType font/woff2 .woff2
   AddType font/woff  .woff
@@ -23,58 +37,57 @@ RewriteEngine On
   AddType application/javascript .mjs
 </IfModule>
 
-# Security headers
+# --- Security headers ---
 <IfModule mod_headers.c>
   Header always set X-Frame-Options "SAMEORIGIN"
   Header always set X-XSS-Protection "1; mode=block"
   Header always set X-Content-Type-Options "nosniff"
-  # HSTS: only if HTTPS (prevents mixed local dev warnings)
-  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
   Header always set Referrer-Policy "strict-origin-when-cross-origin"
   Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
   Header always set X-Download-Options "noopen"
   Header always set Expect-CT "max-age=86400, enforce"
-  # Nice extra hardening (same-origin resource sharing)
   Header always set Cross-Origin-Resource-Policy "same-origin"
   Header always set X-Permitted-Cross-Domain-Policies "none"
+  # HSTS only when actually on HTTPS
+  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" "expr=%{HTTPS} == 'on'"
 
-  # CSP (modules, workers, blobs already accounted for)
-  Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; frame-ancestors 'self'; object-src 'none'; base-uri 'self'; form-action 'self'"
+  # CSP (modules, blobs, workers, etc.)
+  Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; media-src 'self' blob:; worker-src 'self' blob:; form-action 'self'"
 </IfModule>
 
-# Caching
-SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
+# --- Caching (query-string based, no env vars needed) ---
 <IfModule mod_headers.c>
-  # HTML/PHP: no cache (app shell)
+  # HTML/PHP: no cache (only if PHP didn’t already set it)
   <FilesMatch "\.(html?|php)$">
-    Header set Cache-Control "no-cache, no-store, must-revalidate"
-    Header set Pragma "no-cache"
-    Header set Expires "0"
+    Header setifempty Cache-Control "no-cache, no-store, must-revalidate"
+    Header setifempty Pragma "no-cache"
+    Header setifempty Expires "0"
   </FilesMatch>
 
-  # version.js is your source-of-truth; keep it non-cacheable so dev/CI flips show up
+  # version.js: always non-cacheable
   <FilesMatch "^js/version\.js$">
     Header set Cache-Control "no-cache, no-store, must-revalidate"
     Header set Pragma "no-cache"
     Header set Expires "0"
   </FilesMatch>
 
-# Unversioned JS/CSS (dev): 1 hour
-<FilesMatch "\.(?:m?js|css)$">
-  Header set Cache-Control "public, max-age=3600, must-revalidate" env=!has_version_param
-</FilesMatch>
+  # Unversioned JS/CSS: 1 hour
+  <FilesMatch "\.(?:m?js|css)$">
+    Header set Cache-Control "public, max-age=3600, must-revalidate" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
+  </FilesMatch>
 
-# Unversioned static assets (dev): 7 days
-<FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  Header set Cache-Control "public, max-age=604800" env=!has_version_param
-</FilesMatch>
+  # Unversioned static (images/fonts): 7 days
+  <FilesMatch "\.(?:png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+    Header set Cache-Control "public, max-age=604800" "expr=%{QUERY_STRING} !~ /(^|&)v=/"
+  </FilesMatch>
 
-# Versioned assets (?v=...): 1 year + immutable
-<FilesMatch "\.(?:m?js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
-  Header set Cache-Control "public, max-age=31536000, immutable" env=has_version_param
-</FilesMatch>
+  # Versioned assets (?v=...): 1 year + immutable
+  <FilesMatch "\.(?:m?js|css|png|jpe?g|gif|webp|svg|ico|woff2?|ttf|otf)$">
+    Header setifempty Cache-Control "public, max-age=31536000, immutable" "expr=%{QUERY_STRING} =~ /(^|&)v=/"
+  </FilesMatch>
+</IfModule>
 
-# Compression (if modules exist)
+# --- Compression ---
 <IfModule mod_brotli.c>
   BrotliCompressionQuality 5
   AddOutputFilterByType BROTLI_COMPRESS text/html text/css application/javascript application/json image/svg+xml
@@ -83,6 +96,6 @@ SetEnvIfNoCase QUERY_STRING "(^|&)v=" has_version_param=1
   AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
 </IfModule>
 
-# Disable TRACE
+# --- Disable TRACE ---
 RewriteCond %{REQUEST_METHOD} ^TRACE
 RewriteRule .* - [F]