# cPanel auto-injects PassengerAppRoot / PassengerBaseURI / PassengerPython directives
# above this section when you create the Python App. DO NOT delete those lines.
# Everything below is custom and safe to keep.

# --- Force HTTPS (uncomment after you've installed an SSL certificate via cPanel)
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# --- Serve /static/* directly through Apache (skips Passenger, much faster)
RewriteEngine On
RewriteRule ^static/(.*)$ static/$1 [L]

# --- Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set Referrer-Policy "same-origin"
</IfModule>

# --- Cache static assets for a day
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 day"
    ExpiresByType application/javascript "access plus 1 day"
    ExpiresByType image/png "access plus 7 days"
    ExpiresByType image/jpeg "access plus 7 days"
</IfModule>

# --- Hide sensitive files from being served
<FilesMatch "^(\.env|\.gitignore|passenger_wsgi\.py|.*\.db|.*\.pyc)$">
    Require all denied
</FilesMatch>

<DirectoryMatch "(__pycache__|instance|venv)">
    Require all denied
</DirectoryMatch>
