Options -Indexes

# Clean URLs — serve index.php for directory requests
DirectoryIndex index.php index.html

# Remove .php extension from URLs
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

# Force HTTPS
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Redirect old WordPress blog posts to /how-it-works/ (SEO: preserve link equity)
RewriteRule ^blog/?.*$ /how-it-works/ [R=301,L]
RewriteRule ^posts/?.*$ /how-it-works/ [R=301,L]
RewriteRule ^\d{4}/\d{2}/.*$ /how-it-works/ [R=301,L]

# Redirect old WP pages if needed
RewriteRule ^about-us/?$ /about/ [R=301,L]
RewriteRule ^contact-us/?$ /contact/ [R=301,L]

# Security headers
<IfModule mod_headers.c>
  Header set X-Content-Type-Options "nosniff"
  Header set X-Frame-Options "SAMEORIGIN"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Cache static assets
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpg "access plus 1 year"
  ExpiresByType image/jpeg "access plus 1 year"
  ExpiresByType image/png "access plus 1 year"
  ExpiresByType image/webp "access plus 1 year"
  ExpiresByType text/css "access plus 1 month"
  ExpiresByType application/javascript "access plus 1 month"
</IfModule>
