# ===== Rewrite / Front Controller =====
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

# --- Force HTTPS (SAFE with/without proxy) ---
# يعمل بدون Loop سواء كنت خلف Proxy أو مباشرة على Apache
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# --- Block direct access to sensitive app dirs (if any under public_html) ---
# عدّل القائمة حسب هيكل مشروعك إن وجِد داخل public_html
RewriteRule ^(app|includes|storage|vendor)/ - [F,L]

# --- Front Controller ---
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [QSA,L]
</IfModule>

# ===== No directory listing =====
Options -Indexes

# ===== Block sensitive files =====
<FilesMatch "(^\.|\.env|\.git|composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|\.sql|\.bak|\.old|\.zip|\.tar|\.gz)$">
  Require all denied
</FilesMatch>

# ===== Disallow legacy PHP extensions execution =====
<FilesMatch "\.(phps|phtml|php3|php4|php5|php7|php8)$">
  Require all denied
</FilesMatch>

# (لا حاجة لبلوك يسمح بـ .php؛ مُعالج cPanel يتكفّل بذلك)

# ===== Double-extension hardening (e.g., file.jpg.php) =====
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} \..*\.(php|phtml|php[0-9]?|phar|cgi|pl|py|sh|shtml|jsp|asp|aspx)$ [NC]
RewriteRule .* - [F,L]
</IfModule>

# ===== Security Headers =====
<IfModule mod_headers.c>
  Header always set X-Frame-Options "DENY"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()"
  # ملاحظة: X-XSS-Protection قديم ومُهمل؛ تركناه غير مفعّل لتفادي سلوك غير متوقع في متصفحات قديمة.
  # لتفعيل HSTS بعد التأكد من https على كل النطاقات/الفرعية:
  # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  # لإضافة CSP لاحقًا جرّب report-only أولاً لتفادي كسر الواجهة.
  # Header always set Content-Security-Policy-Report-Only "default-src 'self'; img-src 'self' data: blob:; script-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
</IfModule>

# ===== Compression & Caching =====
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/plain text/html text/xml text/css application/json application/javascript application/xml application/xhtml+xml
</IfModule>
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType image/avif "access plus 30 days"
  ExpiresByType image/webp "access plus 30 days"
  ExpiresByType image/svg+xml "access plus 30 days"
  ExpiresByType image/png "access plus 30 days"
  ExpiresByType image/jpeg "access plus 30 days"
  ExpiresDefault "access plus 1 day"
</IfModule>

FileETag None

# ===== cPanel PHP Handler =====
