# Auto-generated by JR Affiliate AI Autosite
# Hostinger / Apache configuration.

# Force HTTPS (Google ranks HTTPS sites higher)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# Custom 404
ErrorDocument 404 /404.html

# Cache control: long-lived static assets, short HTML
<IfModule mod_headers.c>
  <FilesMatch "\.(css|js|jpg|jpeg|png|webp|gif|svg|ico|woff|woff2)$">
    Header set Cache-Control "public, max-age=31536000, immutable"
  </FilesMatch>
  <FilesMatch "\.html$">
    Header set Cache-Control "public, max-age=300, must-revalidate"
  </FilesMatch>
</IfModule>

# Compression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
</IfModule>

# v25.67 — Security headers (Bing/Google trust + privacy-policy compliance)
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
  Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

# v25.67 — Block public access to debug folder (defence-in-depth;
# the dump was moved out of public/ in v25.67 but if a future
# operator misconfigures static export, this still blocks it).
# v25.92.6 — also block operator-notes folder + any .md / .txt /
# .json files at root that might leak deployment instructions to
# search crawlers when the operator deploys via cPanel/FTP and the
# entire zip lands at the web root (not just /public/).
<IfModule mod_rewrite.c>
  RewriteRule ^_debug/ - [F,L]
  RewriteRule ^_operator-notes/ - [F,L]
  RewriteRule \.(md|markdown)$ - [F,L]
  RewriteRule ^(README|IMAGE-GUIDE|HANDOFF|DEPLOY-TEST|CLAUDE) - [F,L]
</IfModule>
