Options -Indexes -MultiViews
ServerSignature Off

# ── Protect sensitive files ──────────────────────────────────────────────────

<FilesMatch "\.(env|log|sql|md|json|lock|sh|bat|ini|bak|swp|gitignore)$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

<FilesMatch "^(composer\.|package\.|yarn\.|webpack\.|vite\.)">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Block direct PHP execution in upload dirs
<FilesMatch "\.php$">
    <If "%{REQUEST_URI} =~ m#/(storage|images/uploads|data)/#">
        Order Deny,Allow
        Deny from all
    </If>
</FilesMatch>

# ── Security Headers ─────────────────────────────────────────────────────────

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()"
    Header unset X-Powered-By
    Header unset Server
</IfModule>

# ── Redirect to install if config missing ────────────────────────────────────

RewriteEngine On
RewriteBase /

# Force HTTPS (uncomment on production)
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Block access to hidden files and directories (except .well-known)
RewriteRule "(^|/)\.(?!well-known)" - [F,L]

# Block access to core/, registry/, storage/, build/, tools/, docs/, site/
RewriteRule ^(core|registry|storage|build|tools|docs|site)(/|$) - [F,L]

# Allow direct access to existing files and directories
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Route everything else through index.php
RewriteRule ^ index.php [L,QSA]

# ── Performance ──────────────────────────────────────────────────────────────

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/javascript application/json
</IfModule>

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png  "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 week"
    ExpiresByType text/css  "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
    ExpiresByType application/x-font-woff2 "access plus 1 year"
</IfModule>
