# PHP Security Settings
<IfModule mod_php.c>
    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    php_value session.cookie_samesite "Lax"
    php_flag session.use_strict_mode on
    php_flag expose_php off
    php_flag display_errors off
</IfModule>

# Force HTTPS and handle PHP extensions
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # HTTPS redirection
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # PHP extension handling (from existing file)
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule !.*\.php$ %{REQUEST_FILENAME}.php [QSA,L]
    
    # Redirect rule (from existing file)
    Redirect /salesforce/expertise/community_cloud /salesforce/expertise/experience_cloud.php
    
    # Prevent access to specific directories
    RewriteRule ^(\.git|\.svn) - [F,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # X-Content-Type-Options
    Header set X-Content-Type-Options "nosniff"
    
    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # X-Frame-Options
    Header set X-Frame-Options "SAMEORIGIN"
    
    # X-XSS-Protection
    Header set X-XSS-Protection "1; mode=block"
    
    # Referrer-Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    
    # More permissive CSP that allows resources to load properly
    Header set Content-Security-Policy "default-src 'self' * data: 'unsafe-inline' 'unsafe-eval'; script-src 'self' * 'unsafe-inline' 'unsafe-eval'; style-src 'self' * 'unsafe-inline'; img-src 'self' * data:; font-src 'self' * data:; connect-src 'self' *; media-src 'self' *; object-src 'self' *; frame-src 'self' *;"
    
    # CORS settings (from existing file)
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

# Disable directory browsing
Options -Indexes

# Protect sensitive files
<FilesMatch "^\.env|\.gitignore|composer\.json|composer\.lock|php\.ini">
    Order allow,deny
    Deny from all
</FilesMatch>

# Cache control (from existing file)
<IfModule mod_expires.c>
  ExpiresActive On

  # Images
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType image/x-icon "access plus 1 year"

  # Video
  ExpiresByType video/mp4 "access plus 1 year"
  ExpiresByType video/mpeg "access plus 1 year"

  # CSS, JavaScript
  ExpiresByType text/css "access plus 1 year"
  ExpiresByType text/javascript "access plus 1 year"
  ExpiresByType application/javascript "access plus 1 year"

  # Others
  ExpiresByType application/pdf "access plus 1 day"
  ExpiresByType application/x-shockwave-flash "access plus 1 day"
  ExpiresByType font/ttf "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"
  ExpiresByType font/woff2 "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
</IfModule>

# GZIP compression (from existing file)
<IfModule mod_deflate.c>
  <FilesMatch "\.(ttf|otf|eot|svg|woff|woff2)$" >
    SetOutputFilter DEFLATE
  </FilesMatch>
</IfModule> 