# ── Prevent directory listing ──
Options -Indexes
# ── Set index file ──
DirectoryIndex index.php
# ── Enable rewrite engine ──
RewriteEngine On
# ── Force HTTPS (uncomment if your host supports it) ──
# RewriteCond %{HTTPS} off
# RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# ── Protect sensitive files from direct access ──
Order Allow,Deny
Deny from all
# ── Block direct access to the data/ directory ───────────────────
# (files must be served through download.php)
RewriteEngine On
RewriteRule ^data/(.*)$ - [F,L]
# ── PHP settings for uploads ──────────────────────────────────────
php_value upload_max_filesize 512M
php_value post_max_size 520M
php_value max_execution_time 300
php_value max_input_time 300
php_value memory_limit 256M
# Prevent uploaded files from being interpreted as PHP
php_flag engine Off
php_value upload_max_filesize 512M
php_value post_max_size 520M
php_value max_execution_time 300
php_value max_input_time 300
php_value memory_limit 256M
php_flag engine Off
# ── Detect embed mode from the query string ───────────────────────
# Sets the EMBED_MODE env var when ?embed=1 is present.
# Used below to suppress X-Frame-Options so cross-origin iframes work.
SetEnvIf Query_String "embed=1" EMBED_MODE
# ── Security headers ──────────────────────────────────────────────
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "same-origin"
# X-Frame-Options — handled conditionally:
# 1. Always unset first (strips any header the server/host injects)
# 2. Re-apply SAMEORIGIN only when NOT in embed mode
# Embed mode (?embed=1) intentionally omits the header so that
# cross-origin sites (e.g. WordOfGod.in) can frame the page.
Header always unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN" env=!EMBED_MODE
Header always set Content-Security-Policy: upgrade-insecure-requests
## 🤖 Fine-Tuned Bot Blocking ##
# 1. Block known bad bots only (empty UA check removed — causes false positives)
# RewriteCond %{HTTP_USER_AGENT} (curl|python-requests|wget|libwww-perl|MJ12bot|AhrefsBot|SemrushBot|GPTBot|ClaudeBot) [NC]
# RewriteRule .* - [F,L]
ErrorDocument 403 /cgi-sys/403_def.html
ErrorDocument 404 /cgi-sys/404_def.html
ErrorDocument 500 /cgi-sys/500_def.html
ErrorDocument 502 /cgi-sys/502_def.html
ErrorDocument 503 /cgi-sys/503_def.html
ErrorDocument 504 /cgi-sys/504_def.html
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php82” package as the default “PHP” programming language.
AddHandler application/x-httpd-ea-php82___lsphp .php .php8 .phtml
# php -- END cPanel-generated handler, do not edit
# ── PHP settings (if allowed by host) ──
php_flag display_errors Off
# ── Cache static assets ──
ExpiresActive On
ExpiresByType text/css "access plus 7 days"
ExpiresByType application/javascript "access plus 7 days"
ExpiresByType image/png "access plus 30 days"
ExpiresByType image/jpeg "access plus 30 days"
ExpiresByType application/manifest+json "access plus 1 day"