## Canonicalization and security headers
## ------------------------------------

## Enable rewrite engine
RewriteEngine On

## 1) Canonical host: redirect www -> apex (always to HTTPS)
RewriteCond %{HTTP_HOST} ^www\.allucanget\.biz$ [NC]
RewriteRule ^ https://allucanget.biz%{REQUEST_URI} [R=301,L]

## 2) Force HTTPS (works for direct HTTPS and when behind proxies setting X-Forwarded-Proto)
RewriteCond %{HTTPS} !=on [OR]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

## 3) Security headers
<IfModule mod_headers.c>
   # HSTS: one year, include subdomains (enable after HTTPS is configured everywhere)
   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS

   # Clickjacking protection (also enforced via CSP frame-ancestors)
   Header set X-Frame-Options "SAMEORIGIN"

   # MIME sniffing protection
   Header set X-Content-Type-Options "nosniff"

   # Referrer policy
   Header set Referrer-Policy "strict-origin-when-cross-origin"

   # Lock down powerful features not in use
   Header set Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=()"

   # Content Security Policy tuned for local assets + jsdelivr Tailwind CDN
   Header set Content-Security-Policy "object-src 'none'; frame-ancestors 'self'; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; upgrade-insecure-requests; block-all-mixed-content"
   Header set Content-Security-Policy "default-src *.allucanget.biz; base-uri 'self'; script-src 'self' 'unsafe-inline' https://contact.allucanget.biz https://cdn.jsdelivr.net https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline' https://contact.allucanget.biz https://cdn.jsdelivr.net https://static.cloudflareinsights.com; img-src 'self' data: https:; form-action https://contact.allucanget.biz; connect-src 'self' https://contact.allucanget.biz;"
</IfModule>

# ------------------------------------------------------------------
# Redirect the root URL ("/") to the canonical file "index.html"
# ------------------------------------------------------------------
RewriteRule ^$ /index.html [L]

# ------------------------------------------------------------------
# Internally rewrite clean URLs like "/about" → "about.html"
# ------------------------------------------------------------------
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)/?$ $1.html [L]

# ensure charset encoding is UTF-8 for all content
AddDefaultCharset UTF-8

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php5_module>
   php_flag asp_tags Off
   php_flag display_errors Off
   php_value max_execution_time 30
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 64M
   php_value post_max_size 16M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php56"
   php_value upload_max_filesize 16M
   php_flag zlib.output_compression Off
</IfModule>
<IfModule lsapi_module>
   php_flag asp_tags Off
   php_flag display_errors Off
   php_value max_execution_time 30
   php_value max_input_time 60
   php_value max_input_vars 1000
   php_value memory_limit 64M
   php_value post_max_size 16M
   php_value session.gc_maxlifetime 1440
   php_value session.save_path "/var/cpanel/php/sessions/ea-php56"
   php_value upload_max_filesize 16M
   php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit