# Disable directory browsing
Options -Indexes

# ----------------------------------------------------------------------
# Bot Protection & Rate Limiting
# ----------------------------------------------------------------------

<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Block bad bots by user agent
    RewriteCond %{HTTP_USER_AGENT} (ahrefs|semrush|mj12bot|dotbot|rogerbot|exabot|facebot|ia_archiver) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (sqlmap|nikto|wikto|sf|sqlmap|bsqlbf|w3af|acunetix|havij|appscan) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (bot|crawler|spider|scraper|curl|wget|python|java|perl) [NC]
    RewriteCond %{HTTP_USER_AGENT} !(googlebot|bingbot|slurp|duckduckbot|baiduspider|yandexbot|facebookexternalhit) [NC]
    RewriteRule .* - [F,L]
    
    # Block requests without user agent
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^-$
    RewriteRule .* - [F,L]
    
    # Block suspicious query strings
    RewriteCond %{QUERY_STRING} (eval\(|base64_|script\<|GLOBALS|mosConfig) [NC,OR]
    RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
    RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
    RewriteRule .* - [F,L]
    
    # Block access to sensitive files
    RewriteRule ^\.env - [F,L]
    RewriteRule ^composer\.(json|lock) - [F,L]
    RewriteRule ^\.git - [F,L]
</IfModule>

# ----------------------------------------------------------------------
# Rewrite engine
# ----------------------------------------------------------------------

<IfModule mod_rewrite.c>
    Options +FollowSymlinks
    RewriteEngine On
    
    RewriteBase /certsleads-new/
    
    # Redirect Trailing Slashes...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]
    
    # Rewrite "www.example.com -> example.com"
    RewriteCond %{HTTPS} !=on
    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]
    
    # Checks to see if the user is attempting to access a valid file
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^([\s\S]*)$ index.php/$1 [L,NC,QSA]
    
    # Ensure Authorization header is passed along
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
</IfModule>

<IfModule !mod_rewrite.c>
    ErrorDocument 404 index.php
</IfModule>

# ----------------------------------------------------------------------
# Security Headers
# ----------------------------------------------------------------------

<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    
    # XSS Protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # Prevent MIME sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ----------------------------------------------------------------------
# Browser Caching
# ----------------------------------------------------------------------

<IfModule mod_expires.c>
    ExpiresActive On
    
    # Images
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    
    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    
    # Fonts
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType font/otf "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType application/font-woff "access plus 1 year"
    
    # Default
    ExpiresDefault "access plus 2 days"
</IfModule>

# Disable server signature
ServerSignature Off
