# ====================================================================
# Brand Gori - Professional Security & Optimization Routing Layer
# Production Ready Configuration
# ====================================================================

# 1. Basic Server Configurations & Encoding
AddDefaultCharset UTF-8

# 2. Prevent Directory Listings (Crucial for confidentiality)
Options -Indexes

# 3. Protect Critical Core Files (Prevent credential/schema harvesting)
<FilesMatch "^(db\.php|setup\.sql|\.htaccess)">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

# 4. Global Enterprise Enterprise Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "no-referrer-when-downgrade"
    Header set Content-Security-Policy "default-src 'self' https:; script-src 'self' 'unsafe-inline' https://fonts.googleapis.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;"
</IfModule>

# 5. URL Rewriting Engine Architecture Configuration
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Optional Canonical Rule: Redirect WWW to Non-WWW (Clean Webflow Style URLs)
    # Uncomment the two lines below to enforce this rule globally.
    # RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    # RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

    # Elegant Multi-View Routing Layer: Strip trailing extensions from client browsers
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}\.php -f
    RewriteRule ^([^/]+)$ $1.php [L]
</IfModule>

# 6. Anti-Execution Sandbox for Upload Repositories
# Place a separate simple .htaccess file inside /uploads directory with 'Options -ExecCGI' 
# and 'AddHandler cgi-script .php .php5 .pl .py' to fully terminate uploaded scripts.