RewriteEngine On
RewriteBase /

Options -Indexes
DirectoryIndex index.php

# ── Compression ───────────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

# ── Browser Caching ───────────────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css              "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType image/jpg             "access plus 30 days"
    ExpiresByType image/jpeg            "access plus 30 days"
    ExpiresByType image/png             "access plus 30 days"
    ExpiresByType image/webp            "access plus 30 days"
    ExpiresByType image/svg+xml         "access plus 30 days"
    ExpiresByType image/x-icon          "access plus 30 days"
</IfModule>

<IfModule mod_headers.c>
    <FilesMatch "\.(css|js|jpg|jpeg|png|webp|svg|ico)$">
        Header set Cache-Control "public, max-age=604800"
    </FilesMatch>
    # Security headers
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ── Block direct access to sensitive files ─────────────────────────────────
<FilesMatch "(\.env|\.env\.example|settings\.json|composer\.json|composer\.lock|\.gitignore|package\.json|package-lock\.json)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

# ── Error pages: pass through index.php for proper HTTP status codes ──────────
# NOTE: We do NOT redirect 404/403 to / as that causes soft-404s and harms SEO.
# Instead, the router handles 404/403 responses with correct HTTP status codes.
ErrorDocument 403 /index.php?error=403
ErrorDocument 404 /index.php?error=404

# ── Block direct access to sensitive directories (403 — not redirect) ─────────
RewriteCond %{REQUEST_URI} ^/(storage|core|system|app|vendor)(/|$) [NC]
RewriteRule ^ - [F,L]

# ── Block installer after installation ────────────────────────────────────────
RewriteCond %{REQUEST_URI} ^/install(/|$) [NC]
RewriteCond %{DOCUMENT_ROOT}/storage/installed.lock -f
RewriteRule ^ / [R=302,L]

# ── Block public/install after installation ───────────────────────────────────
RewriteCond %{REQUEST_URI} ^/public/install(/|$) [NC]
RewriteCond %{DOCUMENT_ROOT}/storage/installed.lock -f
RewriteRule ^ / [R=302,L]

# ── Static files and directories served directly ─────────────────────────────
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# ── Route everything else through index.php ───────────────────────────────────
RewriteRule ^ index.php [QSA,L]

# ── Harden upload directories (block PHP execution) ──────────────────────────
<IfModule mod_rewrite.c>
    RewriteRule ^(?:uploads|public/uploads)/.*\.(?:php[0-9]?|phtml|phar|cgi|pl|py|sh|exe)$ - [F,L,NC]
</IfModule>
