# START WordPress
<IfModule mod_rewrite.c>
RewriteEngine On

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<IfModule mod_headers.c>
# فقط وقتی HTTPS هست، HSTS فعال بشه
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

Header set X-XSS-Protection "1; mode=block"
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; connect-src 'self'; font-src 'self'; img-src 'self' data:;"
#Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';"
#Header set Content-Security-Policy "frame-ancestors 'none'; script-src 'self';"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"

<FilesMatch "mdb_compiled\.min\.(js|css)$">
Header set Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>

</IfModule>

# END WordPress


# غیرفعال کردن XML-RPC
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

# جلوگیری از لیست شدن دایرکتوری‌ها
Options -Indexes

# جلوگیری از دسترسی به فایل‌های حساس
<FilesMatch "(\.htaccess|\.htpasswd|wp-config\.php|php\.ini|readme\.html|license\.txt)">
Order Allow,Deny
Deny from all
</FilesMatch>

# جلوگیری از کش شدن صفحات حساس
<IfModule mod_headers.c>
    <FilesMatch "\.(php|html|htm)$">
        Header set Cache-Control "no-store, no-cache, must-revalidate"
        Header set Pragma "no-cache"
    </FilesMatch>
</IfModule>
