# ============================================================
# Muhanga TTC — Production .htaccess  (v2)
# aquaee.org.zw
# ============================================================
Options -Indexes
ServerSignature Off

# ── Force HTTPS ──────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# ── Block direct access to sensitive directories ─────────────
<FilesMatch "\.(sql|log|env|sh|htpasswd|ini|bak|swp)$">
    Order deny,allow
    Deny from all
</FilesMatch>

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^includes/  - [F,L]
    RewriteRule ^\.          - [F,L]
</IfModule>

# ── Security headers ─────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options    "nosniff"
    Header always set X-Frame-Options           "SAMEORIGIN"
    Header always set X-XSS-Protection          "1; mode=block"
    Header always set Referrer-Policy           "strict-origin-when-cross-origin"
    Header always set Permissions-Policy        "geolocation=(), microphone=(), camera=()"
</IfModule>

# ── PHP settings for cPanel ──────────────────────────────────
php_flag  display_errors   Off
php_flag  log_errors       On
php_value error_log        /tmp/muhanga_ttc_errors.log
php_value upload_max_filesize 10M
php_value post_max_size       12M
php_value max_execution_time  60
php_value memory_limit        128M

# ── GZIP compression ────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript
</IfModule>

# ── Browser caching ─────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png  "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType text/css   "access plus 1 week"
    ExpiresByType text/javascript "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
</IfModule>
