diff --git a/.htaccess b/.htaccess
index 79d840b..9b487d4 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,291 +1,29 @@
# AI Tools Usage Report System - Apache Configuration
-# Security, Performance, and Routing Rules
# ============================================
-# SECURITY HEADERS
+# DISABLE DIRECTORY BROWSING
# ============================================
-
- # Prevent clickjacking attacks
- Header always set X-Frame-Options "SAMEORIGIN"
-
- # Prevent MIME type sniffing
- Header always set X-Content-Type-Options "nosniff"
-
- # Enable XSS protection
- Header always set X-XSS-Protection "1; mode=block"
-
- # Referrer policy
- Header always set Referrer-Policy "strict-origin-when-cross-origin"
-
- # Content Security Policy (adjust as needed)
- Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; connect-src 'self';"
-
- # Remove server signature
- Header unset Server
- Header unset X-Powered-By
-
+Options -Indexes
# ============================================
-# FORCE HTTPS (Uncomment for production)
+# DEFAULT DOCUMENT
# ============================================
-#
-# RewriteEngine On
-# RewriteCond %{HTTPS} off
-# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
-#
+DirectoryIndex report.php index.php index.html
# ============================================
-# PROTECT SENSITIVE FILES
+# PROTECT .ENV FILES
# ============================================
-# Deny access to .env files
Require all denied
-# Deny access to .git directory
+# ============================================
+# PROTECT .GIT DIRECTORY
+# ============================================
+
Require all denied
-
-# Deny access to composer files
-
- Require all denied
-
-
-# Deny access to Python files (except via PHP execution)
-
- Require all denied
-
-
-# Deny access to configuration files
-
- Require all denied
-
-
-# Deny access to log files
-
- Require all denied
-
-
-# Deny access to backup files
-
- Require all denied
-
-
-# Protect webhook response data (allow only from server)
-
- Require all denied
-
-
-# Protect requirements.txt
-
- Require all denied
-
-
-# Protect systemd service files
-
- Require all denied
-
-
-# Protect shell scripts
-
- Require all denied
-
-
-# Protect markdown documentation (optional - comment out if you want docs accessible)
-
- Require all denied
-
-
-# ============================================
-# DIRECTORY BROWSING
-# ============================================
-
-# Disable directory browsing
-Options -Indexes
-
-# Default document
-DirectoryIndex report.php index.php index.html
-
-# ============================================
-# PHP SETTINGS
-# ============================================
-
-
- # Hide PHP version
- php_flag display_errors Off
- php_flag log_errors On
- php_value error_log logs/php_error.log
-
- # Security settings
- php_flag expose_php Off
- php_flag allow_url_fopen On
- php_flag allow_url_include Off
-
- # Session settings
- php_value session.cookie_httponly 1
- php_value session.cookie_secure 0
- php_value session.use_strict_mode 1
- php_value session.cookie_samesite Lax
-
- # Upload limits (adjust as needed)
- php_value upload_max_filesize 10M
- php_value post_max_size 10M
- php_value max_execution_time 300
- php_value max_input_time 300
- php_value memory_limit 256M
-
-
-# ============================================
-# URL REWRITING
-# ============================================
-
-
- RewriteEngine On
- RewriteBase /
-
- # Remove trailing slash (optional)
- RewriteCond %{REQUEST_FILENAME} !-d
- RewriteCond %{REQUEST_URI} (.+)/$
- RewriteRule ^ %1 [L,R=301]
-
- # Redirect root to report page
- RewriteRule ^$ report.php [L]
-
- # Clean URLs for main pages (optional - uncomment if desired)
- # RewriteRule ^report$ report.php [L]
- # RewriteRule ^fetch$ webhook_caller.php [L]
- # RewriteRule ^auth$ auth.php [L]
-
- # Prevent access to internal PHP files
- RewriteRule ^(AuthMiddleware|JWTValidator)\.php$ - [F,L]
-
-
-# ============================================
-# COMPRESSION
-# ============================================
-
-
- # Compress HTML, CSS, JavaScript, Text, XML and fonts
- AddOutputFilterByType DEFLATE application/javascript
- AddOutputFilterByType DEFLATE application/json
- AddOutputFilterByType DEFLATE application/x-javascript
- AddOutputFilterByType DEFLATE application/xhtml+xml
- AddOutputFilterByType DEFLATE application/xml
- AddOutputFilterByType DEFLATE font/opentype
- AddOutputFilterByType DEFLATE font/otf
- AddOutputFilterByType DEFLATE font/ttf
- AddOutputFilterByType DEFLATE image/svg+xml
- AddOutputFilterByType DEFLATE image/x-icon
- AddOutputFilterByType DEFLATE text/css
- AddOutputFilterByType DEFLATE text/html
- AddOutputFilterByType DEFLATE text/javascript
- AddOutputFilterByType DEFLATE text/plain
- AddOutputFilterByType DEFLATE text/xml
-
- # Remove browser bugs (old browsers)
- BrowserMatch ^Mozilla/4 gzip-only-text/html
- BrowserMatch ^Mozilla/4\.0[678] no-gzip
- BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
- Header append Vary User-Agent
-
-
-# ============================================
-# CACHING
-# ============================================
-
-
- ExpiresActive On
- ExpiresDefault "access plus 1 month"
-
- # HTML - no cache
- ExpiresByType text/html "access plus 0 seconds"
-
- # CSS and JavaScript
- ExpiresByType text/css "access plus 1 year"
- ExpiresByType application/javascript "access plus 1 year"
- ExpiresByType text/javascript "access plus 1 year"
-
- # Images
- ExpiresByType image/gif "access plus 1 month"
- ExpiresByType image/jpeg "access plus 1 month"
- ExpiresByType image/png "access plus 1 month"
- ExpiresByType image/svg+xml "access plus 1 month"
- ExpiresByType image/x-icon "access plus 1 year"
-
- # Fonts
- ExpiresByType font/ttf "access plus 1 year"
- ExpiresByType font/otf "access plus 1 year"
- ExpiresByType font/woff "access plus 1 year"
- ExpiresByType font/woff2 "access plus 1 year"
-
- # JSON
- ExpiresByType application/json "access plus 0 seconds"
-
-
-# Cache-Control Headers
-
- # No cache for PHP files
-
- Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
- Header set Pragma "no-cache"
-
-
- # Cache static assets
-
- Header set Cache-Control "public, max-age=31536000, immutable"
-
-
-
-# ============================================
-# ERROR DOCUMENTS (Optional)
-# ============================================
-
-# Custom error pages (create these files if you want custom error pages)
-# ErrorDocument 400 /error.php?code=400
-# ErrorDocument 401 /error.php?code=401
-# ErrorDocument 403 /error.php?code=403
-# ErrorDocument 404 /error.php?code=404
-# ErrorDocument 500 /error.php?code=500
-
-# ============================================
-# CORS (Cross-Origin Resource Sharing)
-# ============================================
-
-# Only if you need CORS for API endpoints (uncomment if needed)
-#
-# Header set Access-Control-Allow-Origin "*"
-# Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
-# Header set Access-Control-Allow-Headers "Content-Type, Authorization"
-#
-
-# ============================================
-# RATE LIMITING (if mod_ratelimit is available)
-# ============================================
-
-#
-# # Limit to 400 KB/s per connection (adjust as needed)
-# SetOutputFilter RATE_LIMIT
-# SetEnv rate-limit 400
-#
-
-# ============================================
-# ETAG REMOVAL (Optional - for better caching)
-# ============================================
-
-#
-# Header unset ETag
-#
-# FileETag None
-
-# ============================================
-# CHARACTER ENCODING
-# ============================================
-
-AddDefaultCharset UTF-8
-
- AddCharset UTF-8 .html .css .js .json .xml .txt
-
diff --git a/README.md b/README.md
index 166e33d..50b53e9 100644
--- a/README.md
+++ b/README.md
@@ -415,35 +415,12 @@ If you don't add the tool, it will still be tracked and displayed with its raw n
- **HTTPS**: Strongly recommended for production (force HTTPS in .htaccess)
### Apache Security (.htaccess)
-The included `.htaccess` file provides comprehensive security:
+The included `.htaccess` file provides basic security:
-**File Protection:**
-- Blocks access to `.env`, `.git`, configuration files
-- Protects Python scripts, logs, and backup files
-- Denies access to `webhook_response.json`
-- Blocks composer and requirements files
-
-**Security Headers:**
-- X-Frame-Options: Prevents clickjacking
-- X-Content-Type-Options: Prevents MIME sniffing
-- X-XSS-Protection: Enables XSS filtering
-- Content-Security-Policy: Restricts resource loading
-- Referrer-Policy: Controls referrer information
-
-**Additional Features:**
-- Gzip compression for faster page loads
-- Browser caching for static assets
-- PHP security settings (expose_php off, etc.)
-- Optional HTTPS enforcement (uncomment to enable)
-- Directory browsing disabled
-
-**To Enable HTTPS Redirect:**
-Edit `.htaccess` and uncomment these lines:
-```apache
-RewriteEngine On
-RewriteCond %{HTTPS} off
-RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
-```
+- **Directory Browsing Disabled**: Prevents listing of files
+- **Default Document**: Sets `report.php` as the default page
+- **Environment File Protection**: Blocks access to `.env` files
+- **Git Directory Protection**: Blocks access to `.git` directory
## License