RewriteEngine On

## Never list directory contents. Typing /public/static/ used to show a file
## listing; now Apache returns 403 for any directory-browse attempt.
Options -Indexes

## Preserve the Authorization header for API bearer-token auth.
## Apache + mod_fcgid/PHP strip it by default; this puts it back into $_SERVER.
<IfModule mod_setenvif.c>
    SetEnvIf Authorization "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>

## Single front controller.
##
## Static folder was renamed public/assets/ → public/static/ to avoid a
## Windows case-insensitive collision with the /Assets controller URL,
## which used to 403 because Apache resolved /Assets to the real /assets/
## folder and then Options -Indexes forbade directory listing.
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.+)$ index.php/$1 [L,QSA]

<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header always unset X-Powered-By
</IfModule>

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg          "access plus 1 year"
    ExpiresByType image/jpeg         "access plus 1 year"
    ExpiresByType image/png          "access plus 1 year"
    ExpiresByType image/gif          "access plus 1 year"
    ExpiresByType image/svg+xml      "access plus 1 month"
    ExpiresByType image/x-icon       "access plus 1 year"
    ExpiresByType font/woff2         "access plus 1 year"
    ExpiresByType text/css           "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/html          "access plus 0 seconds"
</IfModule>

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css text/javascript
    AddOutputFilterByType DEFLATE application/javascript application/json
    AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>
