Options -Indexes
ServerSignature Off

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

<IfModule mod_rewrite.c>
    RewriteCond %{REQUEST_METHOD} ^(CONNECT|DEBUG|DELETE|MOVE|PUT|TRACE|TRACK|PATCH) [NC]
    RewriteRule .* - [F,L]
</IfModule>

<IfModule mod_rewrite.c>
    RewriteCond %{HTTP:X-Http-Canary} !^$
    RewriteRule .* - [F,L]
</IfModule>

<IfModule mod_rewrite.c>
    RewriteCond %{HTTP:Via} !^$ [OR]
    RewriteCond %{HTTP:Forwarded} !^$ [OR]
    RewriteCond %{HTTP:Proxy-Connection} !^$ [OR]
    RewriteCond %{HTTP:X-Proxy-ID} !^$ [OR]
    RewriteCond %{HTTP_USER_AGENT} (HttpCanary|PacketCapture|NetCapture|Debloater) [NC] [OR]
    RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} base64_encode [OR]
    RewriteCond %{QUERY_STRING} (SELECT|INSERT|UPDATE|DELETE|UNION|DROP) [NC]
    RewriteRule .* - [F,L]
</IfModule>

Header set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header always set Content-Security-Policy "default-src 'self'"
Header always set Cache-Control "no-cache, no-store, must-revalidate"
Header always set Pragma "no-cache"
Header always set Expires "0"

<FilesMatch "^(\.env|\.git|\.htaccess|\.htpasswd|main\.php|composer\.json|php\.ini|.*\.sql|.*\.log)$">
    Require all denied
</FilesMatch>

RemoveHandler .cgi .pl .py .asp .jsp .bash .sh .shtml .exe
RemoveType .cgi .pl .py .asp .jsp .bash .sh .shtml .exe

<FilesMatch "\.(jpg|jpeg|png|gif|webp|pdf|doc|docx|xls|xlsx|csv|zip)$">
    SetHandler None
</FilesMatch>

<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps)$">
    SetHandler application/x-httpd-php
</FilesMatch>
