# Tunnel SaaS Server
Options -Indexes -MultiViews
DirectoryIndex render.php index.php

# Lindungi file internal
<FilesMatch "^(saas_config\.php|saas_access\.log|config\.php|list\.txt|seeds\.txt|keyword_update\.log|geo\.php)$">
    Require all denied
</FilesMatch>

# Lindungi cache & log
<IfModule mod_rewrite.c>
    RewriteEngine On

    # /sitemap.xml -> sitemap.php (dynamic XML)
    RewriteRule ^sitemap\.xml$ sitemap.php [L,NC]

    # /robots.txt -> robots.php (host-aware)
    RewriteRule ^robots\.txt$ robots.php [L,NC]

    # /img/{brand}.png -> img.php?brand={brand}
    RewriteRule ^img/([A-Za-z0-9_-]+)\.png$ img.php?brand=$1 [L,NC]

    # Halaman statis tanpa .php
    RewriteRule ^about/?$    about.php   [L,NC]
    RewriteRule ^contact/?$  contact.php [L,NC]
    RewriteRule ^privacy/?$  privacy.php [L,NC]

    # Pagination
    RewriteRule ^page/([0-9]+)/?$ index.php?page=$1 [L,NC,QSA]

    # /amp/{brand} -> amp/index.php (folder AMP punya .htaccess sendiri)

    # Brand pages: /brandname -> index.php?main=brandname
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^([A-Za-z0-9_-]+)/?$ index.php?main=$1 [L,NC,QSA]
</IfModule>

# Cache statis
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/png "access plus 30 days"
</IfModule>

# Header keamanan
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>
