Options -Indexes
ServerSignature Off

# ──────────────────────────────────────────────────────────────
# Security Headers
# ──────────────────────────────────────────────────────────────
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</IfModule>

# ──────────────────────────────────────────────────────────────
# Rewrite Engine
# ──────────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Force HTTPS
    # RewriteCond %{HTTPS} off
    # RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Force www (optional)
    # RewriteCond %{HTTP_HOST} !^www\. [NC]
    # RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Block access to sensitive files/dirs
    RewriteRule ^\.env$ - [F,L]
    RewriteRule ^config/ - [F,L]
    RewriteRule ^includes/ - [F,L]
    RewriteRule ^storage/ - [F,L]
    RewriteRule ^database/ - [F,L]
    RewriteRule ^app/ - [F,L]

    # Serve existing files and dirs directly
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]

    # ── Clean URLs for public pages ──
    # /about → /public/about/index.php
    RewriteRule ^about/?$ /public/about/index.php [L,QSA]
    RewriteRule ^about/team/?$ /public/about/team.php [L,QSA]
    RewriteRule ^about/clients/?$ /public/about/clients.php [L,QSA]
    RewriteRule ^about/careers/?$ /public/about/careers.php [L,QSA]

    # /services
    RewriteRule ^services/?$ /public/services/index.php [L,QSA]
    RewriteRule ^services/it/?$ /public/services/it.php [L,QSA]
    RewriteRule ^services/real-estate/?$ /public/services/real-estate.php [L,QSA]
    RewriteRule ^services/travel/?$ /public/services/travel.php [L,QSA]

    # /works
    RewriteRule ^works/?$ /public/works/index.php [L,QSA]
    RewriteRule ^works/([a-z0-9-]+)/?$ /public/works/detail.php?slug=$1 [L,QSA]

    # /blog
    RewriteRule ^blog/?$ /public/blog/index.php [L,QSA]
    RewriteRule ^blog/([a-z0-9-]+)/?$ /public/blog/detail.php?slug=$1 [L,QSA]

    # /shop
    RewriteRule ^shop/?$ /public/shop/index.php [L,QSA]
    RewriteRule ^shop/cart/?$ /public/shop/cart.php [L,QSA]
    RewriteRule ^shop/checkout/?$ /public/shop/checkout.php [L,QSA]
    RewriteRule ^shop/([a-z0-9-]+)/?$ /public/shop/product.php?slug=$1 [L,QSA]

    # /properties
    RewriteRule ^properties/?$ /public/properties/index.php [L,QSA]
    RewriteRule ^properties/([a-z0-9-]+)/?$ /public/properties/detail.php?slug=$1 [L,QSA]

    # /tours
    RewriteRule ^tours/?$ /public/tours/index.php [L,QSA]
    RewriteRule ^tours/([a-z0-9-]+)/?$ /public/tours/detail.php?slug=$1 [L,QSA]

    # /account
    RewriteRule ^account/?$ /public/account/index.php [L,QSA]
    RewriteRule ^account/orders/?$ /public/account/orders.php [L,QSA]
    RewriteRule ^account/wishlist/?$ /public/account/wishlist.php [L,QSA]
    RewriteRule ^account/profile/?$ /public/account/profile.php [L,QSA]

    # /auth
    RewriteRule ^login/?$ /public/login.php [L,QSA]
    RewriteRule ^register/?$ /public/register.php [L,QSA]
    RewriteRule ^logout/?$ /api/logout.php [L,QSA]
    RewriteRule ^forgot-password/?$ /public/forgot-password.php [L,QSA]

    # /contact
    RewriteRule ^contact/?$ /public/contact.php [L,QSA]

    # Main pages
    RewriteRule ^privacy/?$ /public/privacy.php [L,QSA]
    RewriteRule ^terms/?$ /public/terms.php [L,QSA]

    # Root → homepage
    RewriteRule ^$ /public/index.php [L,QSA]
</IfModule>

# ──────────────────────────────────────────────────────────────
# PHP Settings
# ──────────────────────────────────────────────────────────────
<IfModule mod_php8.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value error_log /home/kratrjoh/logs/php_errors.log
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
    php_value max_execution_time 60
    php_value memory_limit 256M
    php_flag session.cookie_httponly On
    php_flag session.use_strict_mode On
</IfModule>

# ──────────────────────────────────────────────────────────────
# Caching for Static Assets
# ──────────────────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType application/x-font-ttf "access plus 1 year"
    ExpiresByType application/x-font-woff "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
</IfModule>

# ──────────────────────────────────────────────────────────────
# Compression
# ──────────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json application/xml image/svg+xml
</IfModule>

# ──────────────────────────────────────────────────────────────
# Block bad bots and scanners
# ──────────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_USER_AGENT} (sqlmap|nikto|nmap|masscan|zgrab) [NC]
    RewriteRule .* - [F,L]
</IfModule>

# ──────────────────────────────────────────────────────────────
# Custom Error Pages
# ──────────────────────────────────────────────────────────────
ErrorDocument 404 /public/404.php
ErrorDocument 500 /public/500.php
ErrorDocument 403 /public/403.php
