# ============================================
# .HTACCESS - URL REWRITING & SECURITY
# ============================================

# Enable Rewrite Engine
<IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteEngine On

  # Set base path
  RewriteBase /

  # ============================================
  # REMOVE .PHP EXTENSION FROM URLs
  # ============================================

  # Hide .php extension: /page -> /page.php
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME}.php -f
  RewriteRule ^(.*)$ $1.php [L,QSA]

</IfModule>

# ============================================
# SECURITY SETTINGS
# ============================================

# Disable directory listing
<IfModule mod_autoindex.c>
  Options -Indexes
</IfModule>

# Prevent access to sensitive files
<FilesMatch "^(\.|.*\.sql|.*\.config|.*\.json|.*\.md)">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>

# Protect .htaccess and .htpasswd files
<Files ~ "^\.ht">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</Files>

# Protect sensitive directories
<DirectoryMatch "^.*\.(git|svn|env)">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</DirectoryMatch>

# ============================================
# SECURITY HEADERS
# ============================================

# Prevent MIME type sniffing
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ============================================
# COMPRESSION
# ============================================

# Enable GZIP compression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css text/javascript application/javascript application/json
</IfModule>

# ============================================
# CACHING
# ============================================

# Set caching headers for static assets
<IfModule mod_expires.c>
  ExpiresActive On

  # Images
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"

  # CSS and JS
  ExpiresByType text/css "access plus 30 days"
  ExpiresByType application/javascript "access plus 30 days"
  ExpiresByType text/javascript "access plus 30 days"

  # Fonts
  ExpiresByType application/font-woff "access plus 1 year"
  ExpiresByType application/font-woff2 "access plus 1 year"
  ExpiresByType application/x-font-ttf "access plus 1 year"

  # PHP (no cache)
  ExpiresByType text/html "access plus 0 seconds"
  ExpiresByType application/php "access plus 0 seconds"
</IfModule>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php82” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php82 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
