Options -Indexes

# ============================================================
# SECURITY: Block direct access to sensitive files & folders
# ============================================================

# Deny access to .env file absolutely
<Files ".env">
    Require all denied
</Files>

# Block sensitive file extensions
<FilesMatch "\.(sql|md|log|json|lock|sh|bash|bak|swp|git)$">
    Require all denied
</FilesMatch>

# Block all migration/debug/test scripts at root
<FilesMatch "^(run_|migrate_|check_|verify_|test_|cleanup_|list_|tmp_|schema_|debug_).*\.php$">
    Require all denied
</FilesMatch>

# ============================================================
# REWRITE ENGINE
# ============================================================
<IfModule mod_rewrite.c>
    RewriteEngine On
RewriteBase /otis/
    # Block access to internal directories
    RewriteRule ^(config|core|helpers|database|app|system_docs|storage|vendor)(/|$) - [F,L]

    # Block uploads directory listing (files served via controller only)
    RewriteRule ^uploads/(.+)$ - [F,L]

    # Force HTTPS in production (uncomment after SSL is set up on Namecheap)
    # RewriteCond %{HTTPS} off
    # RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Allow real files and directories to be served directly
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-l

    # Route all other requests to front controller
    RewriteRule ^(.+)$ index.php?url=$1 [QSA,L]
</IfModule>

# ============================================================
# SECURITY HEADERS
# ============================================================
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' cdn.jsdelivr.net cdnjs.cloudflare.com unpkg.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net cdnjs.cloudflare.com; font-src 'self' data: fonts.gstatic.com cdnjs.cloudflare.com; img-src 'self' data: https:; connect-src 'self';"
    # Prevent caching of sensitive pages
    Header set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
    Header set Pragma "no-cache"
</IfModule>

# ============================================================
# PHP HARDENING (shared hosting compatible)
# ============================================================
<IfModule mod_php.c>
    php_flag display_errors off
    php_flag log_errors on
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
    php_value max_execution_time 60
    php_value memory_limit 256M
</IfModule>
