# ----------------------------------------------------------------------
# | 8G Firewall for Security - Do not change this part @Update 03/2024
# ----------------------------------------------------------------------

# 8G FIREWALL v1.5 20250927
# https://perishablepress.com/8g-firewall/

# 8G:[CORE]
ServerSignature Off
Options -Indexes
RewriteEngine On
RewriteBase /

SetEnv TZ Australia/Hobart
Options +SymLinksIfOwnerMatch

# ── Allow .well-known for SSL/ACME challenges ──────────────────────────────
RewriteRule ^\.well-known/ - [L]

<FilesMatch "(?i)\.(tpl|ini|log)$">
	Require all denied
</FilesMatch>

# Allow Robots.txt to pass through
RewriteRule ^robots.txt - [L]

RewriteCond %{REQUEST_METHOD} !^POST$
RewriteRule ^index\.php$ / [R=301,L]


Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "no-referrer"
Header set X-Robots-Tag "index, follow"

# ── Block all other dotfiles ───────────────────────────────────────────────
#RewriteRule (?:^|/)\. - [F,L]

# ── www → non-www (301) ────────────────────────────────────────────────────
#RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
#RewriteRule ^ http://%1%{REQUEST_URI} [R=301,L]

# ── Pass existing .php files directly (prevent vhost modX routing) ─────────
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
