# ── Security ──────────────────────────────────────────────────────────────────
Options -Indexes

# Block access to sensitive files
<FilesMatch "\.(sql|log|env|bak|old|sh|md|gitignore)$">
    Order deny,allow
    Deny from all
</FilesMatch>

# Block direct access to config.php
<Files "config.php">
    Order deny,allow
    Deny from all
</Files>

# ── PHP Settings (mod_php only — safe to have, ignored on PHP-FPM) ────────────
<IfModule mod_php8.c>
    php_flag display_errors Off
    php_value upload_max_filesize 20M
    php_value post_max_size 22M
    php_value max_execution_time 120
</IfModule>
<IfModule mod_php7.c>
    php_flag display_errors Off
    php_value upload_max_filesize 20M
    php_value post_max_size 22M
    php_value max_execution_time 120
</IfModule>

# ── Cache Static Assets ───────────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png  "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType image/gif  "access plus 1 month"
    ExpiresByType text/css   "access plus 1 week"
    ExpiresByType text/javascript "access plus 1 week"
</IfModule>

# ── Compression ───────────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript text/plain
</IfModule>
