Options -Indexes
Options +FollowSymLinks
RewriteEngine On
RewriteBase /

# HTTPS redirect
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# WWW redirect (choose one)
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^(.*)$ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Remove trailing slashes (except root)
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [R=301,L]

# Blog slug routing
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^blog/([a-z0-9\-]+)/?$ /blog/post.php [L,QSA]

# Shop product slug routing
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^shop/([a-z0-9\-]+)/?$ /shop/product.php [L,QSA]

# Clean contact URL
RewriteRule ^contact/?$ /pages/contact.php [L,QSA]
RewriteRule ^about/?$ /pages/about.php [L,QSA]
RewriteRule ^services/?$ /pages/services.php [L,QSA]
RewriteRule ^works/?$ /pages/works.php [L,QSA]
RewriteRule ^team/?$ /pages/team.php [L,QSA]
RewriteRule ^clients/?$ /pages/clients.php [L,QSA]
RewriteRule ^careers/?$ /pages/careers.php [L,QSA]
RewriteRule ^blog/?$ /blog/index.php [L,QSA]
RewriteRule ^shop/?$ /shop/index.php [L,QSA]
RewriteRule ^dashboard/?$ /pages/dashboard.php [L,QSA]
RewriteRule ^our-story/?$ /pages/our-story.php [L,QSA]

# Protect sensitive files
<FilesMatch "\.(env|log|sql|bak|sh|git)$">
  Order allow,deny
  Deny from all
</FilesMatch>

# Protect includes directory
<IfModule mod_rewrite.c>
  RewriteRule ^includes/ - [F,L]
  RewriteRule ^uploads/backups/ - [F,L]
</IfModule>

# Security headers
<IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-Content-Type-Options "nosniff"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header set X-XSS-Protection "1; mode=block"
</IfModule>

# Compression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# Browser caching
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpg "access plus 1 month"
  ExpiresByType image/jpeg "access plus 1 month"
  ExpiresByType image/gif "access plus 1 month"
  ExpiresByType image/png "access plus 1 month"
  ExpiresByType image/webp "access plus 1 month"
  ExpiresByType image/svg+xml "access plus 1 month"
  ExpiresByType text/css "access plus 1 week"
  ExpiresByType application/javascript "access plus 1 week"
  ExpiresByType application/x-font-woff "access plus 1 month"
</IfModule>

# PHP settings
<IfModule mod_php7.c>
  php_value upload_max_filesize 10M
  php_value post_max_size 12M
  php_value max_execution_time 60
  php_value memory_limit 128M
  php_flag display_errors Off
  php_flag log_errors On
</IfModule>
<IfModule mod_php8.c>
  php_value upload_max_filesize 10M
  php_value post_max_size 12M
  php_value max_execution_time 60
  php_value memory_limit 128M
  php_flag display_errors Off
  php_flag log_errors On
</IfModule>

# Custom error pages
ErrorDocument 404 /pages/404.php
ErrorDocument 403 /pages/403.php
ErrorDocument 500 /pages/500.php
