# ============================================================
#  .htaccess — Portable (works on any domain or subfolder)
# ============================================================

Options -Indexes
Options -MultiViews

# ── PHP settings ────────────────────────────────────────────
<IfModule mod_php8.c>
  php_value upload_max_filesize 8M
  php_value post_max_size 10M
  php_value max_execution_time 60
</IfModule>
<IfModule mod_php7.c>
  php_value upload_max_filesize 8M
  php_value post_max_size 10M
  php_value max_execution_time 60
</IfModule>

# ── Deny direct access to sensitive files ───────────────────
<FilesMatch "\.(sql|log|md|env|bak|sh|git)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# ── Protect includes and config ─────────────────────────────
<IfModule mod_rewrite.c>
  RewriteEngine On

  # Block direct access to includes folder
  RewriteRule ^includes/ - [F,L]

  # Block direct access to uploads/logos except images
  RewriteCond %{REQUEST_URI} ^.*/uploads/logos/.*$
  RewriteCond %{REQUEST_URI} !\.(jpg|jpeg|png|gif|webp)$ [NC]
  RewriteRule ^ - [F,L]
</IfModule>

# ── Security headers ────────────────────────────────────────
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ── Cache static assets ─────────────────────────────────────
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType image/jpeg "access plus 30 days"
  ExpiresByType image/png "access plus 30 days"
</IfModule>

# ── Root index redirect ─────────────────────────────────────
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteRule ^$ index.php [L]
</IfModule>
