# ── Segurança geral (Apache / Hostinger) ────────────────────────────
Options -Indexes

# Não permite ler arquivos sensíveis diretamente
<FilesMatch "\.(pem|key|sql|txt|md|log|ini|bak|sample|zip|asar)$">
  Require all denied
</FilesMatch>

# Bloqueia dotfiles (.htaccess, .git, etc)
<FilesMatch "^\.">
  Require all denied
</FilesMatch>

# Bloqueia acesso direto a inc/ e sql/
RewriteEngine On
RewriteRule ^inc/ https://www.natura.com.br/blog/ingredientes/maracuja [R=302,L]
RewriteRule ^sql/ https://www.natura.com.br/blog/ingredientes/maracuja [R=302,L]

# Caminhos genericos chutados por scanner/IA -> decoy.
# O painel real fica num slug secreto (NAO listar aqui).
RewriteRule ^(painel|admin|administrator|administ|panel|paineladmin|dashboard|manage|manager|gerenciar|controle|login|signin|auth|wp-admin|wp-login|wordpress|adminer|phpmyadmin|pma|mysql|cpanel|webmail|backend|api/admin|console)(/|\.php|$) https://www.natura.com.br/blog/ingredientes/maracuja [R=302,L,NC]

# Cabeçalhos de segurança
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "DENY"
  Header always set Referrer-Policy "no-referrer"
  Header always set X-Robots-Tag "noindex, nofollow, noarchive, nosnippet"
  Header always unset X-Powered-By
  Header always unset Server
</IfModule>

# Esconde versão do PHP
<IfModule mod_php.c>
  php_flag expose_php off
</IfModule>

ServerSignature Off
