# Extra Security Headers
<IfModule mod_headers.c>
        Header set X-XSS-Protection "1; mode=block"
        Header always append X-Frame-Options SAMEORIGIN
        Header set X-Content-Type-Options nosniff
        Header unset X-Powered-By
</IfModule>
<IfModule mod_rewrite.c>

#RewriteEngine On
#RewriteCond %{HTTPS} off
#RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]


        RewriteEngine On
        RewriteBase /portal

        # Force to exclude the trailing slash
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_URI} (.*)/$
        RewriteRule ^(.+)/$ $1 [R=307,L]

        # Restrict php,json,lock files direct access
        RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.php[?\ ]
        RewriteRule \.php$ - [F]
        RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.json[?\ ]
        RewriteRule \.json$ - [F]
        RewriteCond %{THE_REQUEST} ^.+?\ [^?]+\.lock[?\ ]
        RewriteRule \.lock$ - [F]

        # Allow any files or directories that exist to be displayed directly
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d

        RewriteRule ^(.*)$ index.php?$1 [QSA,L]
    php_flag session.cookie_httponly on
    Options -Indexes
    Options -MultiViews

</IfModule>
