Options -Indexes
ServerSignature Off

# ── Block sensitive files ────────────────────────────────
<FilesMatch "\.(sql|env|log|sh|md|git)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Block direct access to includes ──────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^includes/ - [F,L]
</IfModule>

# ── Security headers ──────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

# ── Canonical HTTPS redirect ──────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    # Remove www (pick one: www or non-www, use non-www)
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
</IfModule>

# ── Gzip compression ──────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json image/svg+xml
</IfModule>

# ── Browser caching ───────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/html              "access plus 1 hour"
    ExpiresByType text/css               "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/svg+xml          "access plus 1 month"
    ExpiresByType image/png              "access plus 1 month"
    ExpiresByType image/jpeg             "access plus 1 month"
    ExpiresByType image/webp             "access plus 1 month"
    ExpiresByType application/json       "access plus 1 day"
</IfModule>

# ── LiteSpeed cache rules ─────────────────────────────────
<IfModule LiteSpeed>
    CacheEnable public /assets/
    CacheEnable public /manifest.json
    CacheEnable public /sitemap.xml
    CacheEnable public /robots.txt
</IfModule>
