# =============================================
# ПРОДВИНУТАЯ ЗАЩИТА ДЛЯ САЙТА "ВОЙНЫ МАФИИ"
# =============================================

Options -Indexes
Options +FollowSymLinks

# =============================================
# ЗАЩИТА СЛУЖЕБНЫХ ФАЙЛОВ
# =============================================
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "(^\.ht|\.ini|\.log|\.sql|\.bak|\.old|\.swp|\.git)">
    Order allow,deny
    Deny from all
</FilesMatch>

<Files "functions.php">
    Order allow,deny
    Deny from all
</Files>

<Files "db.php">
    Order allow,deny
    Deny from all
</Files>

<Files "config.php">
    Order allow,deny
    Deny from all
</Files>

# =============================================
# ЗАПРЕТ ВЫПОЛНЕНИЯ PHP В ПАПКАХ ЗАГРУЗОК
# =============================================
<IfModule mod_php7.c>
    php_flag engine off
</IfModule>

<DirectoryMatch "^.*/uploads/.*$">
    <FilesMatch "\.php$">
        Order Deny,Allow
        Deny from all
    </FilesMatch>
</DirectoryMatch>

# Если используете PHP 8, раскомментируйте:
#<IfModule mod_php8.c>
#    php_flag engine off
#</IfModule>

# =============================================
# БЛОКИРОВКА ОПАСНЫХ СТРОК В URL
# =============================================
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Блокируем попытки включения файлов (LFI/RFI)
    RewriteCond %{QUERY_STRING} (base64_encode|base64_decode|eval\(|file_get_contents|fopen|fwrite|preg_replace|gzuncompress) [NC,OR]
    RewriteCond %{QUERY_STRING} (exec\(|system\(|passthru\(|shell_exec\(|phpinfo\(|popen\(|curl_exec) [NC,OR]
    RewriteCond %{QUERY_STRING} (gopher|ftp|http|https|dict|\.\./|\.\.\\) [NC,OR]
    RewriteCond %{QUERY_STRING} (mosConfig|_REQUEST|_COOKIE|_GET|_POST) [NC,OR]
    RewriteCond %{QUERY_STRING} (allow_url_include|auto_prepend_file|disable_functions|open_basedir) [NC,OR]
    RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST) [NC]
    RewriteRule .* - [F,L]

    # Блокируем доступ к папкам системы (если они случайно открыты)
    RewriteRule ^(vendor|composer|node_modules|tests)/ - [F,L]
</IfModule>

# =============================================
# НАСТРОЙКА СТРАНИЦЫ 404
# =============================================
ErrorDocument 404 /404.php

# =============================================
# ЗАГОЛОВКИ БЕЗОПАСНОСТИ
# =============================================
<IfModule mod_headers.c>
    Header set X-Frame-Options "DENY"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    # При необходимости добавьте CSP, но осторожно, может сломать существующие inline-скрипты
    # Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://code.jquery.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self';"
</IfModule>

# =============================================
# ПРИНУДИТЕЛЬНЫЙ HTTPS (раскомментируйте, если есть SSL)
# =============================================
# <IfModule mod_rewrite.c>
#     RewriteCond %{HTTPS} off
#     RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
# </IfModule>

# =============================================
# КЭШИРОВАНИЕ СТАТИКИ (для скорости)
# =============================================
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
</IfModule>