ukaiautomation/.htaccess

# Security Rules for UK Data Services

# Protect sensitive files and configs
<FilesMatch "^\.(.*)$|\.log$|\.sql$|\.conf$|config\.php$|\.email-config\.php$|\.htaccess|\.htpasswd|\.ini|\.sh|\.inc|\.bak$">
    Require all denied
</FilesMatch>

# Protect contact handlers from direct browser access (POST only)
<Files "contact-handler.php">
    <LimitExcept POST>
        Require all denied
    </LimitExcept>
</Files>

<Files "quote-handler.php">
    <LimitExcept POST>
        Require all denied
    </LimitExcept>
</Files>

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Enhanced Gzip compression
<IfModule mod_deflate.c>
    # Enable compression for all text-based files
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
    AddOutputFilterByType DEFLATE application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/xml application/xhtml+xml application/rss+xml
    AddOutputFilterByType DEFLATE application/json application/ld+json
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE font/ttf font/otf font/eot font/woff font/woff2
    
    # Remove browser bugs for older browsers
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4\.0[678] no-gzip
    BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
    Header append Vary User-Agent
</IfModule>

# Enable Brotli compression if available
<IfModule mod_brotli.c>
    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript
    AddOutputFilterByType BROTLI_COMPRESS application/javascript application/x-javascript
    AddOutputFilterByType BROTLI_COMPRESS application/xml application/xhtml+xml application/rss+xml
    AddOutputFilterByType BROTLI_COMPRESS application/json application/ld+json
    AddOutputFilterByType BROTLI_COMPRESS image/svg+xml
    AddOutputFilterByType BROTLI_COMPRESS font/ttf font/otf font/woff font/woff2
</IfModule>

# Browser Caching Headers
<IfModule mod_expires.c>
    ExpiresActive On
    
    # Images - 1 year
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresByType image/ico "access plus 1 year"
    
    # Fonts - 1 year
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType font/otf "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType application/font-woff "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
    
    # CSS and JavaScript - 1 month
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/x-javascript "access plus 1 month"
    
    # HTML and PHP - 1 hour
    ExpiresByType text/html "access plus 1 hour"
    ExpiresByType application/xhtml+xml "access plus 1 hour"
    
    # Data - no cache
    ExpiresByType application/json "access plus 0 seconds"
    ExpiresByType application/xml "access plus 0 seconds"
    ExpiresByType text/xml "access plus 0 seconds"
    
    # Default - 1 week
    ExpiresDefault "access plus 1 week"
</IfModule>

# Cache-Control Headers
<IfModule mod_headers.c>
    # Static assets - 1 year
    <FilesMatch "\.(jpg|jpeg|png|gif|webp|svg|ico|woff|woff2|ttf|otf|eot)$">
        Header set Cache-Control "max-age=31536000, public, immutable"
    </FilesMatch>
    
    # CSS and JS - 1 month
    <FilesMatch "\.(css|js)$">
        Header set Cache-Control "max-age=2592000, public"
    </FilesMatch>
    
    # HTML/PHP - 1 hour
    <FilesMatch "\.(html|php)$">
        Header set Cache-Control "max-age=3600, public, must-revalidate"
    </FilesMatch>
    
    # Keep-alive
    Header set Connection keep-alive
</IfModule>

# HTTP/2 Server Push
<IfModule mod_http2.c>
    # Push critical resources
    <FilesMatch "index\.php">
        Header add Link "</assets/css/main.min.css>; rel=preload; as=style"
        Header add Link "</assets/images/ukds-main-logo.webp>; rel=preload; as=image"
        Header add Link "</assets/js/main.min.js>; rel=preload; as=script"
    </FilesMatch>
</IfModule>

# ETags
FileETag None
Header unset ETag

# Disable directory browsing
Options -Indexes

# Prevent access to logs and database directories
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Redirect old /services paths to /project-types
    RewriteRule ^services/?$ /project-types [R=301,L]
    RewriteRule ^services/data-cleaning\.php$ /project-types [R=301,L]
    RewriteRule ^services/data-cleaning$ /project-types [R=301,L]
    RewriteRule ^services/(.*)$ /project-types [R=301,L]

    # Clean URL rewriting - remove .php extension
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME}.php -f
    RewriteRule ^(.+?)/?$ $1.php [L]
    
    # Security rules
    RewriteRule ^logs(/.*)?$ - [F,L]
    RewriteRule ^database(/.*)?$ - [F,L]
    RewriteRule ^\.git(/.*)?$ - [F,L]
    RewriteRule ^docker(/.*)?$ - [F,L]
</IfModule>

# Disable server signature
ServerSignature Off