# Default entry point (required on InfinityFree / shared hosting)
DirectoryIndex index.php index.html

# PHP limits — mod_php only (ignored on PHP-FPM hosts like InfinityFree)
<IfModule mod_php.c>
    php_value max_input_vars 5000
    php_value max_input_time 300
    php_value max_execution_time 300
    php_value memory_limit 256M
    php_value post_max_size 50M
    php_value upload_max_filesize 50M
</IfModule>

# Security headers (skipped if mod_headers is unavailable)
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options DENY
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; img-src 'self' data: blob:; font-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; connect-src 'self'; media-src 'self'; object-src 'none'; frame-ancestors 'none';"
</IfModule>

# Prevent access to sensitive files
<Files ~ "^\.">
    Order allow,deny
    Deny from all
</Files>

<Files ~ "\.md$">
    Order allow,deny
    Deny from all
</Files>

<Files ~ "\.sql$">
    Order allow,deny
    Deny from all
</Files>

<Files ~ "\.env">
    Order allow,deny
    Deny from all
</Files>

<Files ~ "\.log$">
    Order allow,deny
    Deny from all
</Files>

# Disable directory browsing
Options -Indexes

# Enable rewrite engine
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Redirect to HTTPS (uncomment in production)
    # RewriteCond %{HTTPS} off
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
    
    # Pretty URLs (optional - uncomment if needed)
    # RewriteCond %{REQUEST_FILENAME} !-f
    # RewriteCond %{REQUEST_FILENAME} !-d
    # RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

# Deny access to development tools directory
<IfModule mod_rewrite.c>
    RewriteRule ^dev_tools/ - [F,L]
</IfModule>

# Disable server signature
ServerSignature Off

# Protect sensitive PHP files
<Files "database.php">
    Order allow,deny
    Deny from all
</Files>

<Files "EnvLoader.php">
    Order allow,deny
    Deny from all
</Files>

<Files "SecurityHelper.php">
    Order allow,deny
    Deny from all
</Files>

# Enable compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# Browser caching
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType text/html "access plus 1 hour"
</IfModule>
