# ── Force HTTPS ──────────────────────────────────────────
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ── Remove trailing slashes (except root) ────────────────
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]

# ── Custom 404 ───────────────────────────────────────────
ErrorDocument 404 /404.html

# ── Security headers ─────────────────────────────────────
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# ── Cache static assets ──────────────────────────────────
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/html              "access plus 1 hour"
  ExpiresByType text/css               "access plus 1 year"
  ExpiresByType application/javascript "access plus 1 year"
  ExpiresByType image/png              "access plus 1 year"
  ExpiresByType image/jpeg             "access plus 1 year"
  ExpiresByType image/x-icon           "access plus 1 year"
  ExpiresByType image/svg+xml          "access plus 1 year"
</IfModule>

# ── Gzip compression ─────────────────────────────────────
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/css application/javascript
</IfModule>
