Options -Indexes
RewriteEngine On

# Bloquear instalador após conclusão
RewriteRule ^install\.php\.done$ - [F,L]


# Bloquear pastas sensíveis
RewriteRule ^(app|config|database|resources|routes|storage)/.*$ - [F,L]
RewriteRule ^\.env.*$ - [F,L]
RewriteRule ^php\.ini$ - [F,L]

# Ficheiros estáticos servidos directamente
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Tudo o resto → index.php
RewriteRule ^ index.php [L]

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
    # Remover assinatura do servidor
    Header always unset X-Powered-By
    Header always unset Server

    # Cache longa para assets
    <FilesMatch "\.(css|js|webp|jpg|jpeg|png|gif|ico|woff2)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>
</IfModule>

# Bloquear execução de PHP em pastas de upload
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
    <If "%{REQUEST_URI} =~ m|^/imgs/|">
        Require all denied
    </If>
    <If "%{REQUEST_URI} =~ m|^/storage/|">
        Require all denied
    </If>
</FilesMatch>

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript
</IfModule>

<IfModule mod_php.c>
    php_value upload_max_filesize 50M
    php_value post_max_size       55M
    php_value max_execution_time  300
    php_value memory_limit        256M
</IfModule>
