# OPTIONAL ROOT .htaccess hardening for https://sowlov.com
# Copy these rules into the TOP of your main public_html/.htaccess, then test the site.
# Do not paste duplicate RewriteEngine blocks if your existing Sngine .htaccess already has one.

<IfModule mod_rewrite.c>
  RewriteEngine On

  # Force HTTPS
  RewriteCond %{HTTPS} !=on
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

  # Keep one canonical domain. Remove these 2 lines if you prefer www.sowlov.com
  RewriteCond %{HTTP_HOST} !^sowlov\.com$ [NC]
  RewriteRule ^ https://sowlov.com%{REQUEST_URI} [L,R=301]
</IfModule>

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(self), payment=(self)"
  Header always set Content-Security-Policy "upgrade-insecure-requests"
  Header unset X-Powered-By
</IfModule>

# Block common sensitive files from direct browser access.
<FilesMatch "(^\.|composer\.(json|lock)|package(-lock)?\.json|yarn\.lock|\.env|.*\.(sql|bak|old|log|ini|yml|yaml))$">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Deny from all
  </IfModule>
</FilesMatch>
