# ── Security Headers ──────────────────────────────────────────────────────── # Prevent clickjacking Header always set X-Frame-Options "SAMEORIGIN" # Prevent MIME-type sniffing Header always set X-Content-Type-Options "nosniff" # Referrer information sent only to same origin Header always set Referrer-Policy "strict-origin-when-cross-origin" # Restrict browser features Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()" # Basic Content Security Policy # Scripts/styles are all local; allow WhatsApp/mailto links as popups Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none';" # Remove PHP version disclosure Header always unset X-Powered-By # ── Block access to sensitive files ───────────────────────────────────────── Order allow,deny Deny from all # Block direct access to PHP includes if any exist Order allow,deny Deny from all # ── Disable directory listing ──────────────────────────────────────────────── Options -Indexes # ── Force HTTPS (enable when SSL certificate is active) ───────────────────── # # RewriteEngine On # RewriteCond %{HTTPS} off # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] # # ── Protect against common exploit patterns ────────────────────────────────── RewriteEngine On # Block requests with suspicious query strings RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule .* - [F,L]