# =============================================================================
# Sample .htaccess Configuration
# Apache rewrite rules, security headers, compression, and caching.
# =============================================================================

# --- Enable Rewrite Engine ---
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Force HTTPS
    RewriteCond %{HTTPS} !=on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

    # Redirect www to non-www
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    # Remove trailing slashes (except for directories)
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)/$ /$1 [R=301,L]

    # Front controller pattern — route all requests through index.php
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L]
</IfModule>

# --- Security Headers ---
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"

    # Remove server signature
    Header unset X-Powered-By
    Header unset Server
</IfModule>

# --- Hide Server Signature ---
ServerSignature Off

# --- Gzip Compression ---
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE font/woff2
    AddOutputFilterByType DEFLATE font/ttf

    # Don't compress images or already-compressed files
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|webp|zip|gz|bz2)$ no-gzip
</IfModule>

# --- Browser Caching ---
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault                          "access plus 1 month"
    ExpiresByType text/html                 "access plus 0 seconds"
    ExpiresByType text/css                  "access plus 1 year"
    ExpiresByType application/javascript    "access plus 1 year"
    ExpiresByType image/jpeg                "access plus 1 year"
    ExpiresByType image/png                 "access plus 1 year"
    ExpiresByType image/gif                 "access plus 1 year"
    ExpiresByType image/svg+xml             "access plus 1 year"
    ExpiresByType image/webp                "access plus 1 year"
    ExpiresByType font/woff2                "access plus 1 year"
    ExpiresByType font/woff                 "access plus 1 year"
    ExpiresByType application/json          "access plus 0 seconds"
    ExpiresByType application/xml           "access plus 0 seconds"
</IfModule>

# --- Cache-Control Headers ---
<IfModule mod_headers.c>
    <FilesMatch "\.(css|js|woff2|woff|ttf|svg|png|jpg|jpeg|gif|webp|ico)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>

    <FilesMatch "\.(html|json|xml)$">
        Header set Cache-Control "no-cache, must-revalidate"
    </FilesMatch>
</IfModule>

# --- Block Access to Sensitive Files ---
<FilesMatch "(^\.env|\.git|\.htpasswd|composer\.(json|lock)|package(-lock)?\.json|webpack\.mix\.js)">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
    </IfModule>
</FilesMatch>

# --- Block Bad Bots & Scrapers ---
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_USER_AGENT} (AhrefsBot|MJ12bot|SemrushBot|DotBot|BLEXBot|MegaIndex) [NC]
    RewriteRule .* - [F,L]
</IfModule>

# --- Disable Directory Listing ---
Options -Indexes

# --- Limit Upload Size (10 MB) ---
LimitRequestBody 10485760

# --- UTF-8 Encoding ---
AddDefaultCharset UTF-8