Options -Indexes
Options -ExecCGI

# فعال‌سازی HTTPS
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# پنهان کردن فایل‌های حساس
<FilesMatch "(\.env|\.env\.example|config\.php|schema\.sql)">
    Order allow,deny
    Deny from all
</FilesMatch>

# PHP headers امنیتی
<IfModule mod_headers.c>
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-Content-Type-Options nosniff
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), camera=(), microphone=()"
</IfModule>

# کش فایل‌های استاتیک
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css            "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png           "access plus 1 month"
    ExpiresByType image/jpeg          "access plus 1 month"
</IfModule>

# محدود کردن حجم آپلود
php_value upload_max_filesize 10M
php_value post_max_size 15M
php_value max_execution_time 60
php_value memory_limit 128M
