# PHP Security Settings
<IfModule mod_php.c>
    php_flag session.cookie_httponly on
    php_flag session.cookie_secure on
    php_value session.cookie_samesite "Strict"
    php_flag session.use_strict_mode on
    php_flag expose_php off
    php_flag display_errors off
</IfModule>

# Force HTTPS and handle PHP extensions
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # HTTPS redirection
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # PHP extension handling (from existing file)
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule !.*\.php$ %{REQUEST_FILENAME}.php [QSA,L]
    
    # Redirect rule (from existing file)
    Redirect /salesforce/expertise/community_cloud /salesforce/expertise/experience_cloud.php
    
    # Prevent access to specific directories
    RewriteRule ^(\.git|\.svn) - [F,L]
</IfModule>

# Security Headers
<IfModule mod_headers.c>
    # X-Content-Type-Options
    Header always set X-Content-Type-Options "nosniff"
    
    # HSTS
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    
    # X-Frame-Options
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # X-XSS-Protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer-Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    
    # Content Security Policy - Allow necessary resources while maintaining security
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://ajax.googleapis.com https://cdnjs.cloudflare.com https://code.jquery.com https://cdn.jsdelivr.net https://www.googletagmanager.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; img-src 'self' data: https:; connect-src 'self'; font-src 'self' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; frame-src 'self';"
    
    # CORS settings (from existing file)
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|woff2|font.css|css|js)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
    
    # Set cookies to HttpOnly and Secure - Addresses "Session Cookie Missing 'HttpOnly' Attribute"
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Strict
    
    # Permissions-Policy to restrict browser features (formerly Feature-Policy)
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    
    # Ensure all cookies have proper attributes
    Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure; SameSite=Strict"
</IfModule>

# Disable directory browsing
Options -Indexes

# Protect sensitive files
<FilesMatch "^\.env|\.gitignore|composer\.json|composer\.lock|php\.ini">
    Order allow,deny
    Deny from all
</FilesMatch>

# Cache control (from existing file)
<IfModule mod_expires.c>
  ExpiresActive On

  # Images
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType image/x-icon "access plus 1 year"

  # Video
  ExpiresByType video/mp4 "access plus 1 year"
  ExpiresByType video/mpeg "access plus 1 year"

  # CSS, JavaScript
  ExpiresByType text/css "access plus 1 year"
  ExpiresByType text/javascript "access plus 1 year"
  ExpiresByType application/javascript "access plus 1 year"

  # Others
  ExpiresByType application/pdf "access plus 1 day"
  ExpiresByType application/x-shockwave-flash "access plus 1 day"
  ExpiresByType font/ttf "access plus 1 year"
  ExpiresByType font/woff "access plus 1 year"
  ExpiresByType font/woff2 "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
</IfModule>

# GZIP compression (from existing file)
<IfModule mod_deflate.c>
  <FilesMatch "\.(ttf|otf|eot|svg|woff|woff2)$" >
    SetOutputFilter DEFLATE
  </FilesMatch>
</IfModule>

# PHP settings
<IfModule mod_php7.c>
    # Disable showing PHP version
    php_flag expose_php Off
    
    # Ensure cookies are secure
    php_value session.cookie_httponly 1
    php_value session.cookie_secure 1
    php_value session.cookie_samesite "Strict"
    
    # Block external file inclusion
    php_flag allow_url_fopen Off
    php_flag allow_url_include Off
</IfModule>

# Prevent directory listing
Options -Indexes

# Protect sensitive files
<FilesMatch "^\.env|composer\.json|composer\.lock|package\.json|package-lock\.json|\.gitignore">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect against common vulnerabilities
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule .* index.php [F,L]
</IfModule>

# Prevent browser from showing debug logs - Addresses "Site emits visible browser logs"
<IfModule mod_headers.c>
    Header unset X-Powered-By
    Header always unset X-Powered-By
</IfModule>

# Set default charset
AddDefaultCharset UTF-8 