<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>
    RewriteEngine On
    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]
    # Send Requests To Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

    # cors
    # Header set Access-Control-Allow-Origin "*"
</IfModule>

<IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
</IfModule>

# Hide a specific file
<Files .env>
    Order allow,deny
    Deny from all
</Files>


# ---------------------------------------------------------------------
# Disable Directory Listing
# ---------------------------------------------------------------------
Options -Indexes

# ---------------------------------------------------------------------
# Block Direct Access to Sensitive Files
# ---------------------------------------------------------------------
<FilesMatch "(^\.|wp-config\.php|composer\.(json|lock)|package\.json|yarn\.lock|env|botattacklogs1_grocibbc\.txt)">
  Require all denied
</FilesMatch>

# ---------------------------------------------------------------------
# Block Common Bad Bots (user-agents)
# ---------------------------------------------------------------------
SetEnvIfNoCase User-Agent "AhrefsBot" bad_bot
SetEnvIfNoCase User-Agent "SemrushBot" bad_bot
SetEnvIfNoCase User-Agent "MJ12bot" bad_bot
SetEnvIfNoCase User-Agent "DotBot" bad_bot
SetEnvIfNoCase User-Agent "PetalBot" bad_bot
SetEnvIfNoCase User-Agent "BLEXBot" bad_bot
SetEnvIfNoCase User-Agent "python-requests" bad_bot
SetEnvIfNoCase User-Agent "curl" bad_bot
SetEnvIfNoCase User-Agent "wget" bad_bot
SetEnvIfNoCase User-Agent "httpclient" bad_bot
SetEnvIfNoCase User-Agent "crawler" bad_bot

<RequireAll>
  Require all granted
  Require not env bad_bot
</RequireAll>

# ---------------------------------------------------------------------
# Block Bots with Blank or Fake User-Agents
# ---------------------------------------------------------------------
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^-$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^$ 
RewriteRule .* - [F]

# ---------------------------------------------------------------------
# Block Suspicious Query Strings Used in Scanning / SQL Inject
# ---------------------------------------------------------------------
RewriteCond %{QUERY_STRING} "(union|select|sleep|concat|base64_decode|eval|system|shell_exec|passthru|phpinfo|cmd)" [NC]
RewriteRule ^.* - [F,L]

# ---------------------------------------------------------------------
# Block Access to Hidden System Files
# ---------------------------------------------------------------------
<FilesMatch "(\.git|\.svn|\.env|\.log|\.bak|\.ini|\.sql|\.zip|\.tgz|\.tar\.gz)$">
  Require all denied
</FilesMatch>

# ---------------------------------------------------------------------
# Limit Request Size (prevents buffer overflow attacks)
# ---------------------------------------------------------------------
LimitRequestBody 512000

# ---------------------------------------------------------------------
# Prevent Hotlinking (optional)
# ---------------------------------------------------------------------
# RewriteCond %{HTTP_REFERER} !^$
# RewriteCond %{HTTP_REFERER} !yourdomain\.com [NC]
# RewriteRule \.(jpg|jpeg|png|gif|webp|mp4)$ - [F,NC]

# ---------------------------------------------------------------------
# Security Headers (helps reduce exploit vectors)
# ---------------------------------------------------------------------
<IfModule mod_headers.c>
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>

# ---------------------------------------------------------------------
# Custom Error Messages
# ---------------------------------------------------------------------
ErrorDocument 403 "Forbidden"
ErrorDocument 404 "Not Found"

<IfModule mod_ratelimit.c>
    SetOutputFilter RATE_LIMIT
    SetEnv rate-limit 300
</IfModule>




