# ===== Sekat eksekusi skrip =====
Options -ExecCGI
AddType text/plain .php .php3 .php4 .php5 .phtml .phar
<FilesMatch "\.(php|php[0-9]?|phtml|phar)$">
  Require all denied
</FilesMatch>

# ===== Lindungi fail .ht* =====
<Files ~ "^\.ht">
  Require all denied
</Files>

# ===== Matikan directory listing =====
Options -Indexes

# ===== Cache asas media =====
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/png  "access plus 7 days"
  ExpiresByType image/jpeg "access plus 7 days"
  ExpiresByType video/mp4  "access plus 7 days"
  ExpiresByType video/webm "access plus 7 days"
</IfModule>

# ===== Header keselamatan asas =====
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set Referrer-Policy "no-referrer-when-downgrade"
  Header set Content-Security-Policy "default-src 'self'; media-src 'self' data: blob:; img-src 'self' data: blob:; object-src 'none'"
</IfModule>
