Options -Indexes
RewriteEngine On
# ── Security Headers ──────────────────────────────────────
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
# ── Block direct access to sensitive files ────────────────
Order allow,deny
Deny from all
Order allow,deny
Deny from all
Order allow,deny
Deny from all
# ── Redirect bare domain to /home ─────────────────────────
RewriteRule ^$ /home [R=301,L]
# ── Remove .html extension from URLs ──────────────────────
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.html -f
RewriteRule ^([^\.]+)$ $1.html [NC,L]
# ── Redirect /page.html → /page (canonical) ───────────────
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s/([^.]+)\.html [NC]
RewriteRule ^ /%1 [R=301,L]
# ── PHP endpoints ─────────────────────────────────────────
RewriteRule ^checkout$ checkout.php [L]
RewriteRule ^deliver$ deliver.php [L]
RewriteRule ^stock$ stock.php [L]
RewriteRule ^coupon$ coupon.php [L]