Options -Indexes

<IfModule mod_setenvif.c>
    SetEnvIf HTTPS "on" HTTPS_ON=1
    SetEnvIf X-Forwarded-Proto "^https$" HTTPS_ON=1
</IfModule>

<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Cross-Origin-Resource-Policy "same-origin"
    Header always set Content-Security-Policy "default-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; upgrade-insecure-requests"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS_ON
</IfModule>

<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block hidden files/folders except ACME challenge path.
    RewriteRule "(^|/)\.(?!well-known/)" - [F]

    # Allow public access to uploaded product images only.
    RewriteRule ^data/uploads/[^/]+\.(?:jpe?g|png|webp|gif)$ - [L,NC]

    # Deny direct access to the rest of the writable data directory.
    RewriteRule ^data(?:/|$) - [F,L]
</IfModule>

<IfModule mod_authz_core.c>
    <FilesMatch "^(config\.php|.*\.(json|md))$">
        Require all denied
    </FilesMatch>
</IfModule>

<IfModule !mod_authz_core.c>
    <FilesMatch "^(config\.php|.*\.(json|md))$">
        Order allow,deny
        Deny from all
    </FilesMatch>
</IfModule>
