RewriteEngine On
DirectoryIndex index.php

# Nonaktifkan listing direktori
Options -Indexes

# Keamanan header dasar
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(), fullscreen=(self)"
  # Matikan XSS filter lama (tidak relevan di browser modern)
  Header always set X-XSS-Protection "0"
  # CSP ketat namun kompatibel dengan CDN yang digunakan
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://code.jquery.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; img-src 'self' data: https:; font-src 'self' https://cdnjs.cloudflare.com; connect-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://code.jquery.com; frame-src 'self' data: blob:; object-src 'none'; base-uri 'self'; form-action 'self'"
</IfModule>

# Redirect URL .php ke versi tanpa ekstensi (kanonik)
# Hanya redirect jika file .php memang ada untuk mencegah loop
RewriteCond %{THE_REQUEST} \s/+(.+?)\.php[\s?] [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ %1 [R=301,L]

# Sembunyikan ekstensi .php: /pages/users -> /pages/users.php
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^$ index.php [L]
# Hanya rewrite jika target .php ada untuk menghindari rewrite berulang
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.+)$ $1.php [L,QSA]

# Paksa HTTPS jika tersedia (opsional, aktifkan bila sudah ada SSL)
#RewriteCond %{HTTPS} !=on
#RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]