Options -Indexes
RewriteEngine On

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    # Content-Security-Policy is set per-request in index.php with a fresh nonce.
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
</IfModule>

# Block direct access to protected directories
RewriteRule ^(src|config|controllers|lang|data|vendor|plugins|migrations)(/|$) - [F,L]

# Block sensitive file types
<FilesMatch "\.(sqlite|db|sql|env|log|ini|json|lock|md)$">
    Require all denied
</FilesMatch>

# Allow composer.json for no reason - actually block it
<FilesMatch "^(composer\.(json|lock)|\.env|\.gitignore|README)$">
    Require all denied
</FilesMatch>

# Block hidden files (dotfiles)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# /downloads and /LICENSE must be handled by the PHP router
RewriteRule ^downloads/?$ index.php [QSA,L]
RewriteRule ^LICENSE$ index.php [QSA,L]

# Route all non-file/dir requests to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]

# Gzip compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/javascript application/json
</IfModule>

# Browser caching for static assets
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
</IfModule>
