# PMSC Roto Rooter — Root .htaccess
# Lindungi folder sensitif dari akses publik.

Options -Indexes
ServerSignature Off

# Block akses ke folder sistem
RedirectMatch 403 ^/?(\.ht|storage/|database/|app/|config/|cron/|bootstrap\.php).*$

# Default charset
AddDefaultCharset UTF-8

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set X-XSS-Protection "1; mode=block"
    # Permissions-Policy (modern browsers)
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# Compress
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# Cache static
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType image/png "access plus 30 days"
    ExpiresByType image/jpg "access plus 30 days"
    ExpiresByType image/svg+xml "access plus 30 days"
</IfModule>

# Disable PHP execution di folder uploads/storage (jika ada uploads)
<FilesMatch "\.(php|phtml|php5|phar)$">
    <If "%{REQUEST_URI} =~ m#^/(storage|database)/#">
        Require all denied
    </If>
</FilesMatch>
