#
# Apache/PHP/FlightPath settings:
# (Inspired by the .htaccess file which ships with Drupal 6.x)
#

# We want to clear any existing X-Frame-Options (like "DENY") which may have been
# set in another config file by the web server.  We will be setting this to "SAMEORIGIN"
# in code, in index.php.
Header always unset X-Frame-Options

# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|module|profile|enc|test|sh|.*sql|theme|tpl(\.php)?|xtmpl|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format)$">
  # Apache 2.4 now gives a 500 error if you try to use "Order", so we need
  # to do this if statement to check if its allowed or not.
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
  </IfModule>
</FilesMatch>

# Don't show directory listings for URLs which map to a directory.
Options -Indexes

# Follow symbolic links in this directory.
Options +FollowSymLinks

# Force simple error message for requests for non-existent favicon.ico.
<Files favicon.ico>
  # There is no end quote below, for compatibility with Apache 1.3.
  ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>
 
# Set the default handler.
DirectoryIndex index.php

# Override PHP settings. More in sites/default/settings.php
# but the following cannot be changed at runtime.

# PHP 4, Apache 1.
<IfModule mod_php4.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0
</IfModule>

# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0
</IfModule>

# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0
</IfModule>

# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
  # Enable expirations.
  ExpiresActive On

  # Cache all files for 2 weeks after access (A).
  ExpiresDefault A1209600
  
</IfModule>

# Add headers to all responses.
<IfModule mod_headers.c>  
  # Make cookies a bit more secure
  ## Header edit Set-Cookie ^(.*)$ $1;SameSite=strict
  # Commenting-out because this caused us to not be able to provide links
  # in emails for users who are already logged in.
  
  # Disable content sniffing, since it's an attack vector.
  Header always set X-Content-Type-Options nosniff  
  
  # Disable Proxy header, since it's an attack vector.
  RequestHeader unset Proxy   
</IfModule>


# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on

#######################################
######################################  
  
  # Modify the RewriteBase if you are using FlightPath in a subdirectory or in a
  # VirtualDocumentRoot and the rewrite rules are not working properly.
  # For example if your site is at http://example.com/flightpath uncomment and
  # modify the following line:
  # RewriteBase /flightpath
  #
  # If your site is running in a VirtualDocumentRoot at http://example.com/,
  # uncomment the following line:
  # RewriteBase /
  
  # Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_URI} !=/favicon.ico
  RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
</IfModule>
