# Security Headers
<IfModule mod_headers.c>
    # HSTS (HTTP Strict Transport Security)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"
    
    # X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Content Security Policy (adjust as needed)
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://kit.fontawesome.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data: https:; font-src 'self' https://ka-f.fontawesome.com;"
    
    # Remove Server Header
    Header always unset Server
    Header always unset X-Powered-By
</IfModule>

# Disable server signature
ServerSignature Off

# Prevent access to sensitive files
<FilesMatch "(\.htaccess|\.htpasswd|\.ini|\.log|\.sh|\.sql|\.bak)$">
    Require all denied
</FilesMatch>

# Prevent directory browsing
Options -Indexes

# Limit file upload size (if not set in php.ini)
php_value upload_max_filesize 10M
php_value post_max_size 20M
