# Security Rules for UK Data Services

# Protect sensitive files and configs
<FilesMatch "^\.(.*)$|\.log$|\.sql$|\.conf$|config\.php$|\.email-config\.php$|\.htaccess|\.htpasswd|\.ini|\.sh|\.inc|\.bak$">
    Require all denied
</FilesMatch>

# Protect contact handlers from direct browser access (POST only)
<Files "contact-handler.php">
    <LimitExcept POST>
        Require all denied
    </LimitExcept>
</Files>

<Files "quote-handler.php">
    <LimitExcept POST>
        Require all denied
    </LimitExcept>
</Files>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Basic compression (if mod_deflate is available)
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/javascript
</IfModule>

# Disable directory browsing
Options -Indexes

# Prevent access to logs and database directories
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^logs(/.*)?$ - [F,L]
    RewriteRule ^database(/.*)?$ - [F,L]
    RewriteRule ^\.git(/.*)?$ - [F,L]
    RewriteRule ^docker(/.*)?$ - [F,L]
</IfModule>

# Disable server signature
ServerSignature Off