# public_html/.htaccess

# 1. Security Headers
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</IfModule>

# 2. Block Sensitive Files
<FilesMatch "^\.(env|git|composer|lock|yml|json|log|sql)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# 3. Disable Directory Browsing
Options -Indexes

# 4. HTTPS Redirect (Uncomment to enable)
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# 5. Routing
RewriteEngine On
RewriteBase /

# Handle API
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^api/v1/(.*)$ api/router.php?route=$1 [QSA,L]

# Handle Clean URLs (PHP extension hiding)
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^(.*)$ $1.php [QSA,L]

# 6. Protect Uploads (No PHP Execution)
<IfModule mod_php.c>
    php_flag engine off
</IfModule>
