
# Image Optimization
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
</IfModule>

# Enable compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

# URL Redirects to Fix 404s
RewriteEngine On

# Redirect old admin paths
RewriteRule ^admin/?$ /admin_dashboard.php [R=301,L]
RewriteRule ^dashboard/?$ /admin_dashboard.php [R=301,L]

# Handle missing trailing slashes
RewriteRule ^admin_(.+)/$ /admin_$1.php [R=301,L]

# Custom 404 handler
ErrorDocument 404 /404.php

# Handle common typos
RewriteRule ^admim(.*)$ /admin$1 [R=301,L]
RewriteRule ^adnim(.*)$ /admin$1 [R=301,L]

# Security Headers and HTTPS Enforcement
<IfModule mod_headers.c>
    # HSTS (HTTP Strict Transport Security) - Force HTTPS for 1 year
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # XSS Protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Content Security Policy - Basic policy (adjust as needed)
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://kit.fontawesome.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data: https:; font-src 'self' https://ka-f.fontawesome.com; connect-src 'self';"
    
    # Remove server information
    Header always unset Server
    Header always unset X-Powered-By
</IfModule>

# Force HTTPS (uncomment for production)
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Hide sensitive files and directories
<FilesMatch "(\.htaccess|\.htpasswd|\.ini|\.log|\.sh|\.sql|\.bak|composer\.(json|lock)|package\.json)$">
    Require all denied
</FilesMatch>

# Protect against directory traversal
<Files ~ "^\.">
    Require all denied
</Files>

# Disable directory browsing
Options -Indexes

# Block access to test files (remove in production)
<FilesMatch "^(test_|ajax_test_|.*_test\.php)$">
    Require all denied
</FilesMatch>

# Session security
php_value session.cookie_httponly 1
php_value session.cookie_secure 1
php_value session.use_only_cookies 1

# Hide PHP version
php_flag expose_php off
