RewriteEngine On

# 0. Security-Header
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

# 1. HTTPS erzwingen (Smart-Version)
# Nur umleiten, wenn wir NICHT auf localhost oder 127.0.0.1 sind
RewriteCond %{HTTP_HOST} !=localhost
RewriteCond %{HTTP_HOST} !=127.0.0.1
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# 2. Schütze sensible Ordner
RewriteRule ^(_|includes|config|vendor|data) - [F,L]

# 3. Verbiete Zugriff auf kritische Dateitypen
<FilesMatch "\.(bak|config|sql|ini|log|sh|env)$">
    Require all denied
</FilesMatch>

# 4. Directory Listing verbieten
Options -Indexes
