Options -MultiViews -Indexes
RewriteEngine On

# ── Force HTTPS (enable on live server) ──────────────────────────────────────
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ── Route all requests through index.php ─────────────────────────────────────
# Local dev (XAMPP subfolder): RewriteBase /zabibu-residence/public/
# Production (root domain):    RewriteBase /
RewriteBase /

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [QSA,L]

# ── Security Headers ─────────────────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    # Uncomment on HTTPS:
    # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

# ── Static Asset Caching ─────────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    <FilesMatch "\.(css|js|png|jpg|jpeg|gif|ico|webp|woff|woff2|ttf|svg)$">
        ExpiresDefault "access plus 3 months"
    </FilesMatch>
</IfModule>

<IfModule mod_headers.c>
    <FilesMatch "\.(css|js|png|jpg|jpeg|gif|ico|webp|woff|woff2|ttf|svg)$">
        Header set Cache-Control "public, max-age=7776000, immutable"
    </FilesMatch>
</IfModule>

# ── Block access to sensitive files ──────────────────────────────────────────
<FilesMatch "\.(env|log|sql|json|lock|md|ini|sh|bak)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Block dot files (.git, .htpasswd, etc.)
<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# ── Gzip Compression ─────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json text/xml
</IfModule>
