
# ========================================
# SECURITY HEADERS
# ========================================
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header set X-Frame-Options "SAMEORIGIN"
    
    # Prevent MIME type sniffing
    Header set X-Content-Type-Options "nosniff"
    
    # XSS Protection
    Header set X-XSS-Protection "1; mode=block"
    
    # Referrer Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Permissions Policy (disable unnecessary features)
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Remove server identification
    Header unset Server
    Header unset X-Powered-By
</IfModule>

# ========================================
# HIDE PHP ERRORS (Production Only!)
# ========================================
php_flag display_errors Off
php_flag log_errors On
php_value error_log /home/ashranco/error_logs/php_error.log

# ========================================
# BLOCK SENSITIVE FILES
# ========================================
<FilesMatch "\.(sql|bak|backup|log|sh|md|git|env|ini)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>



# Prevent access to hidden files
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Prevent directory browsing
Options -Indexes

# Default document
DirectoryIndex index.php

# Enable URL Rewriting
RewriteEngine On
RewriteBase /

# If the request is for a real file or directory, serve it directly
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d

# Otherwise, route everything through index.php
RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]

# Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>