# ── ZENTRA ROYAL CROWN ── .htaccess ──
Options -Indexes
DirectoryIndex index.php

# Security headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

# Block direct access to generate.php from browser (allow AJAX only via Referer)
# Optional: remove if you want direct access
<Files "generate.php">
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTP_REFERER} !^https?://%{HTTP_HOST}/ [NC]
        RewriteCond %{HTTP_X_REQUESTED_WITH} !XMLHttpRequest [NC]
        # RewriteRule ^ - [F]  # Uncomment to enforce
    </IfModule>
</Files>

# Gzip compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json
</IfModule>

# Browser caching for fonts
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 7 days"
    ExpiresByType application/javascript "access plus 1 day"
</IfModule>
