# Enforce HTTPS (si el servidor ya tiene SSL)
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Permitir que el Service Worker controle el scope de /pwa-demo-menu/
Header set Service-Worker-Allowed "/pwa-demo-menu/"

# Seguridad recomendada
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "no-referrer-when-downgrade"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# Content Security Policy
Header set Content-Security-Policy "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self'; manifest-src 'self'; worker-src 'self'; connect-src 'self'"

# Compresión y cacheo básico
AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType text/html A60
  ExpiresByType text/css A604800
  ExpiresByType application/javascript A604800
  ExpiresByType image/png A31536000
  ExpiresByType application/json A3600
</IfModule>
