# ── Security Headers ────────────────────────────────────────────────────────
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"

    # Prevent MIME-type sniffing
    Header always set X-Content-Type-Options "nosniff"

    # Referrer information sent only to same origin
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Restrict browser features
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

    # Basic Content Security Policy
    # Scripts/styles are all local; allow WhatsApp/mailto links as popups
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none';"

    # Remove PHP version disclosure
    Header always unset X-Powered-By
</IfModule>

# ── Block access to sensitive files ─────────────────────────────────────────
<FilesMatch "^(error_log|\.env|composer\.(json|lock)|package(-lock)?\.json|.*\.log)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block direct access to PHP includes if any exist
<FilesMatch "^(config|functions|helpers)\.php$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Disable directory listing ────────────────────────────────────────────────
Options -Indexes

# ── Force HTTPS (enable when SSL certificate is active) ─────────────────────
# <IfModule mod_rewrite.c>
#     RewriteEngine On
#     RewriteCond %{HTTPS} off
#     RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# </IfModule>

# ── Protect against common exploit patterns ──────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block requests with suspicious query strings
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule .* - [F,L]
</IfModule>
