# Remove X-Powered-By header
<IfModule mod_headers.c>
    Header unset X-Powered-By
</IfModule>

# General Server Settings
ServerSignature Off
Options -Indexes

# Deny access to sensitive files
<FilesMatch "^\.env$">
    Require all denied
</FilesMatch>

# Deny access to log files
<FilesMatch "\.system/.*\.log$">
    Require all denied
</FilesMatch>

# Deny direct access to storage directory
<FilesMatch "^\.system/storage/.*$">
    Require all denied
</FilesMatch>

RewriteEngine on

# Redirect public requests
RewriteRule ^favicon\.ico$ /.assets/logo.png [L]
RewriteRule ^robots\.txt$ /.assets/robots.txt [L]
RewriteRule ^sitemap\.xml$ /.assets/sitemap.xml [L]
RewriteRule ^assets/(.*)$ /.assets/$1 [L]

# Allow Public/sources/ files
RewriteCond %{REQUEST_URI} ^/.assets/.*\.(css|js|svg|woff|woff2|mp4|ogg|mp3|wav|jpeg|jpg|png|gif|svg|ico|webp|xml|txt|json|csv)$ [NC]
RewriteRule .* - [L]

# Route everything else
RewriteRule ^(.*)$ .system/app.php [L,QSA]

# [SECURITY]
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "no-referrer"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" 
Header set Access-Control-Allow-Headers "Content-Type, X-System"
<LimitExcept GET POST PUT DELETE>
    Require all denied
</LimitExcept>
# Size (MB)
SetEnv CONTENT_LENGTH 2
# Lock Time (Seconds)
SetEnv LOCK_TIME 30
# ID Rate (Seconds)
SetEnv IDR_PERIOD 10
# ID Rate (Requests)
SetEnv IDR_AMOUNT 10
# IP Rate (Seconds)
SetEnv IPR_PERIOD 60
# IP Rate (Requests)
SetEnv IPR_AMOUNT 200
