# =========================================================
# /public — front-controller routing + security
# =========================================================

Options -Indexes -MultiViews
ServerSignature Off
AddDefaultCharset UTF-8

<FilesMatch "^\.">
    Require all denied
</FilesMatch>

<FilesMatch "\.(bak|swp|sql|log|ini|conf|old)$">
    Require all denied
</FilesMatch>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Force HTTPS (uncomment in production)
    # RewriteCond %{HTTPS} !=on
    # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L]
</IfModule>

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json text/xml
</IfModule>

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png  "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType text/css   "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
    ExpiresByType video/mp4  "access plus 1 month"
</IfModule>
