# GitHub Code Viewer Plugin - Security Rules

# Prevent directory browsing
Options -Indexes

# Deny access to all files by default
<FilesMatch ".*">
    Order Deny,Allow
    Deny from all
</FilesMatch>

# Allow access to specific file types only
<FilesMatch "\.(css|js|png|jpg|jpeg|gif|svg|woff|woff2|ttf|eot)$">
    Order Allow,Deny
    Allow from all
</FilesMatch>

# Specifically allow access to the main plugin file
<Files "maple-code-blocks.php">
    Order Allow,Deny
    Allow from all
</Files>

# Protect sensitive files
<FilesMatch "(^\.|wp-config\.php|\.htaccess|\.htpasswd|error_log|readme\.html|license\.txt|install\.php|php\.ini|php5\.ini)">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Disable PHP execution in subdirectories (except the root plugin file)
<FilesMatch "\.php$">
    <If "%{REQUEST_URI} !~ m#^.*/maple-code-blocks/maple-code-blocks\.php$#">
        Order Deny,Allow
        Deny from all
    </If>
</FilesMatch>

# Prevent script injection
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ - [F,L]
</IfModule>

# Disable XML-RPC if not needed
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

# Add security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Hotlinking protection disabled - not needed for WordPress plugins
# WordPress plugins need their assets accessible to the host site
# <IfModule mod_rewrite.c>
#     RewriteEngine on
#     RewriteCond %{HTTP_REFERER} !^$
#     RewriteCond %{HTTP_REFERER} !^https?://(www\.)?%{HTTP_HOST} [NC]
#     RewriteRule \.(css|js|png|jpg|jpeg|gif|svg)$ - [F,NC,L]
# </IfModule>

# Compress text files
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/json
</IfModule>

# Set proper MIME types
<IfModule mod_mime.c>
    AddType text/css .css
    AddType application/javascript .js
    AddType application/json .json
</IfModule>

# Cache control for static assets
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
</IfModule>

# Disable server signature
ServerSignature Off

# Prevent access to hidden files
<FilesMatch "^\.">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Block access to backup and source files
<FilesMatch "(\.(bak|backup|config|dist|fla|inc|ini|log|psd|sh|sql|sw[op])|~)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>