# Swaplet v1 — Apache hardening (lives inside /swapletv1/)
DirectoryIndex index.php
Options -Indexes

# Force HTTPS (proxy-aware). Comment these 5 lines out for local HTTP testing.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# Block sensitive file types and config
<FilesMatch "\.(sql|md|lock|sh|ini|log|bak|inc)$">
  Require all denied
</FilesMatch>
<FilesMatch "^(config\.php|config\.sample\.php|\.env|VERSION|composer\.(json|lock))$">
  Require all denied
</FilesMatch>
# Block dotfiles except .well-known
<FilesMatch "^\.(?!well-known)">
  Require all denied
</FilesMatch>

# Deny engine folders outright
RedirectMatch 403 ^.*/(config|includes|private|cron)(/|$)

<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/css "access plus 7 days"
  ExpiresByType application/javascript "access plus 7 days"
  ExpiresByType image/svg+xml "access plus 30 days"
  ExpiresByType image/png "access plus 30 days"
</IfModule>
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/css application/javascript image/svg+xml
</IfModule>
<IfModule mod_php.c>
  php_value upload_max_filesize 8M
  php_value post_max_size 10M
</IfModule>
