# ── Security Headers ────────────────────────────────────────────────────────
# Prevent clickjacking
Header always set X-Frame-Options "SAMEORIGIN"
# Prevent MIME-type sniffing
Header always set X-Content-Type-Options "nosniff"
# Referrer information sent only to same origin
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# Restrict browser features
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
# Basic Content Security Policy
# Scripts/styles are all local; allow WhatsApp/mailto links as popups
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none';"
# Remove PHP version disclosure
Header always unset X-Powered-By
# ── Block access to sensitive files ─────────────────────────────────────────
Order allow,deny
Deny from all
# Block direct access to PHP includes if any exist
Order allow,deny
Deny from all
# ── Disable directory listing ────────────────────────────────────────────────
Options -Indexes
# ── Force HTTPS (enable when SSL certificate is active) ─────────────────────
#
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
#
# ── Protect against common exploit patterns ──────────────────────────────────
RewriteEngine On
# Block requests with suspicious query strings
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* - [F,L]