# Protect files and directories
<FilesMatch "^\.(htaccess|htpasswd|ini|log|sh|inc|bak)$">
Order Allow,Deny
Deny from all
</FilesMatch>

# Disable directory browsing
Options -Indexes

# Protect config directory
<FilesMatch "^config\.php$">
Order Allow,Deny
Deny from all
</FilesMatch>

# Protect database directory
<Directory "database">
Order Allow,Deny
Deny from all
</Directory>

# Protect logs directory
<Directory "logs">
Order Allow,Deny
Deny from all
</Directory>

# Protect classes directory
<Directory "classes">
Order Allow,Deny
Deny from all
</Directory>

# Protect includes directory
<Directory "includes">
Order Allow,Deny
Deny from all
</Directory>

# Set default charset
AddDefaultCharset UTF-8

# Enable rewriting
<IfModule mod_rewrite.c>
RewriteEngine On

# Redirect to HTTPS
# Uncomment the following lines to enable HTTPS redirection
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Admin panel clean URLs
RewriteRule ^admin/?$ admin/index.php [L]
RewriteRule ^admin/([a-zA-Z0-9_-]+)/?$ admin/$1.php [L]

# Protect sensitive files
RewriteRule ^(config|database|includes|classes|logs)/.* - [F,L]
</IfModule>

# PHP settings
<IfModule mod_php7.c>
  # Session security
  php_flag session.cookie_httponly on
  php_flag session.use_only_cookies on
  
  # Disable showing PHP errors
  php_flag display_errors off
  
  # Disable PHP file uploads in certain directories
  <Directory "admin/uploads">
    php_flag engine off
  </Directory>
</IfModule>

# Set security headers
<IfModule mod_headers.c>
  # Prevent clickjacking
  Header always set X-Frame-Options "SAMEORIGIN"
  
  # XSS protection
  Header always set X-XSS-Protection "1; mode=block"
  
  # Prevent MIME-type sniffing
  Header always set X-Content-Type-Options "nosniff"
  
  # Referrer policy
  Header always set Referrer-Policy "same-origin"
</IfModule>

# Enable compression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript application/json
</IfModule>

# Set expiration for static assets
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpg "access plus 1 year"
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"
</IfModule>