# Enable only if mod_headers is available
<IfModule mod_headers.c>

  # Clickjacking protection (use CSP frame-ancestors too)
  Header always set X-Frame-Options "SAMEORIGIN"

  # MIME type sniffing
  Header always set X-Content-Type-Options "nosniff"

  # HSTS – ONLY on HTTPS sites. Preload only if you intend to submit the domain.
  # Remove "; includeSubDomains; preload" if not desired.
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

  # Referrer policy
  Header always set Referrer-Policy "strict-origin-when-cross-origin"

  # Permissions-Policy (tighten/loosen per need)
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(self), usb=(), payment=(), fullscreen=(self)"

  # Cross-origin isolation trio (required for features like SharedArrayBuffer).
  # WARNING: COEP requires all embedded cross-origin resources to grant permission.
  Header always set Cross-Origin-Opener-Policy "same-origin"
  # If you embed third-party resources and can’t control their headers, consider:
  # Header always set Cross-Origin-Embedder-Policy "credentialless"
  Header always set Cross-Origin-Embedder-Policy "require-corp"
  Header always set Cross-Origin-Resource-Policy "same-origin"

  # Content Security Policy (customize for your assets/CDNs)
  # Replace example CDNs with what your app actually uses.
  Header always set Content-Security-Policy "\
    default-src 'self'; \
    base-uri 'self'; \
    object-src 'none'; \
    frame-ancestors 'self'; \
    form-action 'self'; \
    script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://unpkg.com; \
    style-src  'self' 'unsafe-inline' https://fonts.googleapis.com; \
    img-src    'self' data: https:; \
    font-src   'self' https://fonts.gstatic.com data:; \
    connect-src 'self' https: wss:; \
    upgrade-insecure-requests"

</IfModule>
# Rewrite rules (mod_rewrite)
RewriteEngine On
RewriteBase /

# Redirect book.lactose.help to Amazon
RewriteCond %{HTTP_HOST} ^book\.lactose\.help$ [NC]
RewriteRule ^ https://linktr.ee/lactose.help [R=301,L]
# https://www.amazon.fr/dp/B0CX8LP1RC?lactosehelp-fr-21 [R=301,L]

# Redirect ios.lactose.help to form
RewriteCond %{HTTP_HOST} ^ios\.lactose\.help$ [NC]
RewriteRule ^ https://apps.apple.com/be/app/lactose-help/id6756715229 [R=301,L]

# Redirect android.lactose.help to Google Play Store
RewriteCond %{HTTP_HOST} ^android\.lactose\.help$ [NC]
RewriteRule ^ https://play.google.com/store/apps/details?id=help.lactose.app [R=301,L]

# Redirect defi.lactose.help to resource
RewriteCond %{HTTP_HOST} ^defi\.lactose\.help$ [NC]
RewriteRule ^ https://payhip.com/b/j0FzS [R=301,L]

# Redirect whatsapppro.lactose.help to resource
RewriteCond %{HTTP_HOST} ^whatsapppro\.lactose\.help$ [NC]
RewriteRule ^ https://chat.whatsapp.com/IPi20FFLeddDkHjqVkiY3S [R=301,L]

# Redirect whatsapphealth.lactose.help to resource
RewriteCond %{HTTP_HOST} ^whatsapphealth\.lactose\.help$ [NC]
RewriteRule ^ https://chat.whatsapp.com/Fes3NhipADM43GkzqR20QX [R=301,L]

# Redirect lactose.help to resource
RewriteCond %{HTTP_HOST} ^lactose\.help$ [NC]
RewriteRule ^ https://www.lactose.help [R=301,L]

# Don't rewrite files or directories that exist
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]

# Rewrite everything else to www.lactose.help
RewriteRule ^ https://www.lactose.help%{REQUEST_URI} [R=301,L]