Options -Indexes
Options -MultiViews

# -------------------------------------------------------
# URL Rewriting
# -------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /x/dinamika_atmosfer/

    # Remove trailing slash (except root)
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.+)/$ /$1 [L,R=301]

    # Serve existing files/dirs directly
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # Route unknown requests to index.php
    RewriteRule ^ index.php [L]
</IfModule>

# -------------------------------------------------------
# Security Headers
# -------------------------------------------------------
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options    "nosniff"
    Header always set X-Frame-Options           "SAMEORIGIN"
    Header always set X-XSS-Protection          "1; mode=block"
    Header always set Referrer-Policy           "strict-origin-when-cross-origin"
    Header always set Permissions-Policy        "geolocation=(), microphone=(), camera=()"
    Header always append Vary                   "Accept-Encoding"

    # Remove server signature
    Header unset Server
    Header unset X-Powered-By
</IfModule>

# -------------------------------------------------------
# Protect sensitive files
# -------------------------------------------------------
<FilesMatch "(^\.htaccess|config\.php|database\.php|\.env|composer\.(json|lock)|package\.json)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

# Deny access to config and sql directories
<IfModule mod_rewrite.c>
    RewriteRule ^(config|sql)/.*$   - [F,L]
    RewriteRule ^auth/middleware.*$ - [F,L]
</IfModule>

# -------------------------------------------------------
# PHP Security
# -------------------------------------------------------
<IfModule mod_php8.c>
    php_flag display_errors         Off
    php_flag expose_php             Off
    php_value session.cookie_httponly  1
    php_value session.cookie_samesite  Strict
    php_value session.use_strict_mode  1
    php_value upload_max_filesize   10M
    php_value post_max_size         12M
</IfModule>

<IfModule mod_php.c>
    php_flag display_errors         Off
    php_flag expose_php             Off
    php_value session.cookie_httponly  1
    php_value upload_max_filesize   10M
    php_value post_max_size         12M
</IfModule>

# -------------------------------------------------------
# Compression
# -------------------------------------------------------
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css text/javascript application/javascript application/json
</IfModule>

# -------------------------------------------------------
# Browser Caching
# -------------------------------------------------------
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css              "access plus 1 week"
    ExpiresByType application/javascript"access plus 1 week"
    ExpiresByType image/png             "access plus 1 month"
    ExpiresByType image/jpeg            "access plus 1 month"
    ExpiresByType image/svg+xml         "access plus 1 month"
    ExpiresByType font/woff2            "access plus 3 months"
</IfModule>

# -------------------------------------------------------
# Charset
# -------------------------------------------------------
AddDefaultCharset UTF-8

# -------------------------------------------------------
# Prevent hotlinking of uploaded files
# -------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER}     !^$
    RewriteCond %{HTTP_REFERER}     !^https?://(www\.)?stemdwiwarna\.id [NC]
    RewriteRule \.(pdf|docx|xlsx)$  - [F,NC,L]
</IfModule>
