# HTTPS erzwingen
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Wenn NICHT HTTPS, dann umleiten
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    
    # Alternative für bestimmte Proxy-Setups (z.B. Cloudflare)
    # RewriteCond %{HTTP:X-Forwarded-Proto} !https
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# Zusätzliche Sicherheits-Headers
<IfModule mod_headers.c>
    # HSTS: Browser merkt sich, dass diese Seite NUR über HTTPS erreichbar ist
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    # X-Frame-Options: Verhindert Clickjacking
    Header always set X-Frame-Options "DENY"
    
    # X-Content-Type-Options: Verhindert MIME-Sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # X-XSS-Protection: XSS-Filter aktivieren
    Header always set X-XSS-Protection "1; mode=block"
    
    # Referrer-Policy: Kontrolliere Referrer-Informationen
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# PHP-Sicherheitseinstellungen (optional hier, besser in php.ini)
<IfModule mod_php.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log /var/log/php/ftpclient_errors.log
</IfModule>