# -------------------------------------------------------
# Enable Rewrite Engine
# -------------------------------------------------------
RewriteEngine On

# -------------------------------------------------------
# REMOVE index / index.php  (ADD THIS HERE)
# -------------------------------------------------------
RewriteRule ^index(.php)?$ https://www.progresskingdom.com/ [R=301,L]

# -------------------------------------------------------
# Fix incorrect URLs that contain the server path
# -------------------------------------------------------
RewriteCond %{REQUEST_URI} ^/home/progresskingdom/public_html/(.*)$ [NC]
RewriteRule ^ https://www.progresskingdom.com/%1 [R=301,L]

# -------------------------------------------------------
# Force HTTPS + Force non-www
# -------------------------------------------------------

RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www\.progresskingdom\.com$ [NC]
RewriteRule ^(.*)$ https://www.progresskingdom.com/$1 [L,R=301]


# -------------------------------------------------------
# Remove .php extension
# -------------------------------------------------------
# Redirect .php URLs to clean URLs
RewriteCond %{THE_REQUEST} \s/+(.+)\.php[\s?]
RewriteRule ^ %1 [R=301,L]

# Internally rewrite clean URLs to .php files
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+)$ $1.php [L]

# -------------------------------------------------------
# Custom Error Pages
# -------------------------------------------------------
ErrorDocument 404 /404.php
ErrorDocument 403 /403.php
ErrorDocument 500 /500.php

# -------------------------------------------------------
# Caching
# -------------------------------------------------------
<IfModule mod_expires.c>
  ExpiresActive On

  # Images
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/gif "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType image/svg+xml "access plus 1 year"

  # Fonts
  ExpiresByType font/woff2 "access plus 1 year"
  ExpiresByType application/font-woff2 "access plus 1 year"

  # CSS & JS
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"
</IfModule>


<IfModule mod_headers.c>
  <FilesMatch "\.(jpg|jpeg|png|gif|webp|svg|woff2|css|js)$">
     Header set Cache-Control "public, max-age=31536000, immutable"
  </FilesMatch>
</IfModule>

# -------------------------------------------------------
# Gzip Compression
# -------------------------------------------------------
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css
    AddOutputFilterByType DEFLATE application/json application/javascript
    AddOutputFilterByType DEFLATE text/xml application/xml
    AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

# -------------------------------------------------------
# ADVANCED SECURITY HEADERS
# -------------------------------------------------------
<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Strict-Transport-Security "max-age=31536000" env=HTTPS
    Header set Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=()"
    Header set Cross-Origin-Resource-Policy "same-origin"
    Header set Cross-Origin-Embedder-Policy "require-corp"
    Header set Cross-Origin-Opener-Policy "same-origin"
    Header set Content-Security-Policy "default-src 'self' https: data: blob:; img-src 'self' https: data:; script-src 'self' https: 'unsafe-inline' 'unsafe-eval'; style-src 'self' https: 'unsafe-inline'; font-src 'self' https: data:; frame-ancestors 'self';"
</IfModule>

# -------------------------------------------------------
# Hotlink Protection
# -------------------------------------------------------
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://www\.progresskingdom\.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|webp|svg|ico)$ - [F,NC,L]

# -------------------------------------------------------
# Block Bad Bots
# -------------------------------------------------------
<IfModule mod_setenvif.c>
    BrowserMatchNoCase "AhrefsBot" bad_bot
    BrowserMatchNoCase "SemrushBot" bad_bot
    BrowserMatchNoCase "MJ12bot" bad_bot
    BrowserMatchNoCase "DotBot" bad_bot
    BrowserMatchNoCase "BLEXBot" bad_bot
    BrowserMatchNoCase "EmailCollector" bad_bot
    BrowserMatchNoCase "Crawler" bad_bot
    BrowserMatchNoCase "Python-urllib" bad_bot
    BrowserMatchNoCase "wget" bad_bot
    BrowserMatchNoCase "curl" bad_bot
</IfModule>

Order Allow,Deny
Allow from all
Deny from env=bad_bot

# -------------------------------------------------------
# Prevent Access to Sensitive Files
# -------------------------------------------------------
<FilesMatch "\.(env|ini|log|sh|sql|bak|config|json)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# -------------------------------------------------------
# Protect .htaccess and .htpasswd
# -------------------------------------------------------
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>
