# 禁止目录列表
Options -Indexes

# ===== 性能优化：Gzip 压缩 =====
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json
    AddOutputFilterByType DEFLATE image/svg+xml application/xml text/xml
    AddOutputFilterByType DEFLATE font/woff2 application/font-woff2
</IfModule>

# ===== 性能优化：静态资源缓存 =====
<IfModule mod_expires.c>
    ExpiresActive On
    # CSS / JS — 1 周（内容更新后通过 ?v= 刷新）
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
    ExpiresByType text/javascript "access plus 1 week"
    # 字体 — 1 年
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
    # 图片 — 1 个月
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/webp "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"
    # HTML — 不缓存（始终获取最新）
    ExpiresByType text/html "access plus 0 seconds"
</IfModule>

# ===== 性能优化：Cache-Control 头 =====
<IfModule mod_headers.c>
    # 字体文件长缓存
    <FilesMatch "\.(woff2|woff|ttf|eot)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>
    # CSS/JS 缓存
    <FilesMatch "\.(css|js)$">
        Header set Cache-Control "public, max-age=604800"
    </FilesMatch>
    # 图片缓存
    <FilesMatch "\.(png|jpg|jpeg|gif|webp|svg)$">
        Header set Cache-Control "public, max-age=2592000"
    </FilesMatch>
    # HTML 不缓存
    <FilesMatch "\.(html|htm)$">
        Header set Cache-Control "no-cache, must-revalidate"
    </FilesMatch>
</IfModule>

# ===== 安全头 =====
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "DENY"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>

# 禁止直接访问 JSON 数据文件
<FilesMatch "\.(json)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>

# 禁止访问 .htaccess 自身
<Files ".htaccess">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</Files>

# 禁止访问 .md 文件
<FilesMatch "\.(md)$">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
    </IfModule>
</FilesMatch>
