DirectoryIndex index.php index.html

# SIGS · Reglas raíz (Apache / Bluehost)

Options -Indexes

# Forzar HTTPS (tienes SSL activo)
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# Bloquear archivos ocultos y sensibles
<FilesMatch "(^\.|\.(env|ini|log|sql|md|sh|bak)$)">
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</FilesMatch>

# Cabeceras de seguridad
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# Tipos MIME necesarios para PWA
AddType application/manifest+json .json
AddType text/javascript .js

# Service Worker: sin caché para sw.js (siempre se debe cargar fresco)
<Files "sw.js">
  Header set Cache-Control "no-cache, no-store, must-revalidate"
  Header set Pragma "no-cache"
</Files>

# Cache largo para los iconos
<FilesMatch "\.(png|jpg|jpeg|gif|ico|svg)$">
  Header set Cache-Control "max-age=604800, public"
</FilesMatch>