# ----------------------------------------------------------------------
# Security Enhancements for GeniXCMS
# ----------------------------------------------------------------------

# 1. Prevent directory listing
Options -Indexes

# 2. Protect sensitive files
<FilesMatch "^(\.htaccess|\.htpasswd|\.ini|\.phps|\.db|\.sql|\.log|composer\.json|composer\.lock|package\.json|package-lock\.json|config\.php)$">
    Order deny,allow
    Deny from all
</FilesMatch>

# 3. Protect include directory (inc) but allow theme/mod/vendor assets
RewriteCond %{REQUEST_URI} !^/inc/themes/.*\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|webp)$ [NC]
RewriteCond %{REQUEST_URI} !^/inc/mod/.*\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|webp)$ [NC]
RewriteCond %{REQUEST_URI} !^/inc/lib/Vendor/.*\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|webp)$ [NC]
RewriteRule ^inc/.*$ - [F,L]

# 4. Security Headers
<IfModule mod_headers.c>
    # Prevent browsers from sniffing the MIME type
    Header set X-Content-Type-Options "nosniff"
    
    # Prevent site from being embedded in iframes elsewhere (Clickjacking)
    Header set X-Frame-Options "SAMEORIGIN"
    
    # Enable XSS filtering in browsers
    Header set X-XSS-Protection "1; mode=block"
    
    # Remove Server version info
    Header unset X-Powered-By
</IfModule>

# 5. Core Rewrite Rules
Options +SymLinksIfOwnerMatch
RewriteEngine On
RewriteBase /

# Prevent script injection through URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^.*$ - [F,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

