# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Disable directory listing
Options -Indexes

# Security headers
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"

# Block direct access to /files/ without referer from mirror page
<IfModule mod_rewrite.c>
  RewriteCond %{HTTP_REFERER} !^https://mirror\.rebootlydeploy\.com [NC]
  RewriteCond %{REQUEST_URI} ^/files/ [NC]
  RewriteRule ^ - [F,L]
</IfModule>

# Block common injection patterns
<IfModule mod_rewrite.c>
  RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|%[0-9A-Z]{0,2}) [OR]
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|%[0-9A-Z]{0,2})
  RewriteRule ^ - [F,L]
</IfModule>

# Block hidden files
<FilesMatch "^\.|~$">
  Require all denied
</FilesMatch>

# Cache static files
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/html "access plus 5 minutes"
  ExpiresByType application/octet-stream "access plus 1 hour"
</IfModule>