Options -Indexes
ServerSignature Off

# Security headers
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Content-Security-Policy "default-src 'self' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://fonts.googleapis.com https://fonts.gstatic.com https://js.paystack.co https://sdk.monnify.com https://api.monnify.com https://monnify.com https://sandbox.monnify.com https://*.monnify.com https://checkout.paystack.com https://api.dicebear.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://js.paystack.co https://sdk.monnify.com https://api.monnify.com; style-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://fonts.googleapis.com; img-src 'self' data: https://api.dicebear.com https://monnify.com; font-src 'self' https://cdnjs.cloudflare.com https://fonts.gstatic.com; connect-src 'self' https://api.monnify.com https://sandbox.monnify.com https://api.paystack.co https://checkout.paystack.com https://5sim.net https://www.maskawasub.com https://n3tdata.com; frame-src https://sdk.monnify.com https://standard.paystack.co https://checkout.paystack.com https://*.monnify.com https://monnify.com"
</IfModule>

# Block access to sensitive files — Apache 2.4 + LiteSpeed compatible
<FilesMatch "\.(sql|log|md|env|git|sh|bak)$">
    Require all denied
</FilesMatch>

# Block direct access to internal directories
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^config/(.*)$ - [F,L]
    RewriteRule ^classes/(.*)$ - [F,L]
    RewriteRule ^includes/(.*)$ - [F,L]
    RewriteRule ^cron/(.*)$ - [F,L]
</IfModule>

# PHP settings (works on LiteSpeed with php-fpm via .user.ini instead)
# These are kept here as fallback but may be ignored on LiteSpeed
<IfModule mod_php.c>
    php_flag display_errors Off
    php_flag log_errors On
</IfModule>
