# Disable directory listing
Options -Indexes

# Force utf-8 charset
AddDefaultCharset UTF-8
AddCharset UTF-8 .html .css .js .svg .woff .woff2

# Właściwy MIME type dla Web App Manifest
AddType application/manifest+json .webmanifest

# Security
ServerSignature Off

# Protect .htaccess file
<Files .htaccess>
    Require all denied
</Files>

# Protect config.php
<Files config.php>
    Require all denied
</Files>

# Protect fusion_error_log.log
<Files fusion_error_log.log>
    Require all denied
</Files>

# Protect .cache files
<Files *.cache>
    Require all denied
</Files>
# Blokuj JSON w podkatalogach
RewriteEngine On
# Katalog główny
RewriteRule ^[^/]+\.json$ - [F,L]
# Podkatalogi
RewriteRule ^.+/.*\.json$ - [F,L]


# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule>

<IfModule mod_expires.c>
    ExpiresActive On

    # Images
    ExpiresByType image/png  "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/jpg  "access plus 1 year"
    ExpiresByType image/gif  "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"

    # CSS & JS
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType text/javascript "access plus 1 year"

    # Fonts
    ExpiresByType font/woff  "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
</IfModule>

<IfModule mod_headers.c>
    <FilesMatch "\.(png|jpg|jpeg|gif|webp|svg|ico|css|js|woff|woff2)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>
</IfModule>

ErrorDocument 401 /error.php?code=401
ErrorDocument 403 /error.php?code=403
ErrorDocument 404 /error.php?code=404

Options +SymLinksIfOwnerMatch

<IfModule mod_rewrite.c>
    <IfModule mod_env.c>
        SetEnv MOD_REWRITE On
    </IfModule>

   RewriteEngine On
RewriteBase /

############################
# Anti scan (known malware names)
############################

# UWAGA:
# Nie robimy wyjątku na podstawie User-Agent (np. Googlebot),
# Typowe nazwy backdoorów / skanerów
RewriteCond %{REQUEST_URI} ^/(widgets|b|cachex|wpup|wpupex|first|halo|nck|db|re|bless|blurbs|admin)\.php$ [NC]
RewriteRule .* - [F,L]

# Próby dostępu do plików WordPressa
RewriteCond %{REQUEST_URI} ^/wp-.*\.php$ [NC]
RewriteRule .* - [F,L]

# Wymuszanie HTTPS

    RewriteCond %{HTTPS} off
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME}\.php -f
    RewriteRule ^(.*)$ $1.php

    # Fix Apache internal dummy connections
    RewriteCond %{HTTP_USER_AGENT} ^.*internal\ dummy\ connection.*$ [NC]

    # Exclude dirs from rewrite rules
    RewriteRule ^(administration|themes)/*$ - [L]

    # PHPFusion router — musi być ostatni
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-l
    RewriteCond %{REQUEST_URI} !^/(administration|config|index.php)
    RewriteRule ^(.*?)$ index.php [L]

</IfModule>
