<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Handle X-XSRF-Token Header
    RewriteCond %{HTTP:x-xsrf-token} .
    RewriteRule .* - [E=HTTP_X_XSRF_TOKEN:%{HTTP:X-XSRF-Token}]

    # Force HTTPS (cPanel shared hosting)
    RewriteCond %{HTTPS} off
    RewriteCond %{HTTP:X-Forwarded-Proto} !https
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    # Redirect Trailing Slashes
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Send Requests To Front Controller
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>

# ── Block access to sensitive files ──────────────────────────────────────────
<FilesMatch "(\.env|\.env\.*|composer\.(json|lock)|package\.json|package-lock\.json|artisan|phpunit\.xml|\.gitignore|\.gitattributes|Makefile|webpack\.mix\.js|vite\.config\.js|tailwind\.config\.js)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block dot-files and hidden directories
<IfModule mod_rewrite.c>
    RewriteRule "(^|/)\." - [F]
</IfModule>

# ── Security Headers ──────────────────────────────────────────────────────────
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"

    # Prevent MIME sniffing
    Header always set X-Content-Type-Options "nosniff"

    # XSS protection (legacy browsers)
    Header always set X-XSS-Protection "1; mode=block"

    # Referrer policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Permissions policy — disable unused browser features
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()"

    # HSTS — tell browsers to always use HTTPS (1 year)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

    # Remove server signature
    Header unset Server
    Header unset X-Powered-By
</IfModule>

# ── Compression (gzip) ────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
    AddOutputFilterByType DEFLATE text/javascript application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE application/json application/xml application/xhtml+xml
    AddOutputFilterByType DEFLATE image/svg+xml font/ttf font/otf font/woff font/woff2
</IfModule>

# ── Browser Caching ───────────────────────────────────────────────────────────
<IfModule mod_expires.c>
    ExpiresActive On

    # HTML — no cache (dynamic content)
    ExpiresByType text/html                 "access plus 0 seconds"

    # CSS & JS — 1 year (Vite adds content hash to filenames)
    ExpiresByType text/css                  "access plus 1 year"
    ExpiresByType application/javascript    "access plus 1 year"
    ExpiresByType text/javascript           "access plus 1 year"

    # Images
    ExpiresByType image/jpeg                "access plus 6 months"
    ExpiresByType image/png                 "access plus 6 months"
    ExpiresByType image/gif                 "access plus 6 months"
    ExpiresByType image/webp                "access plus 6 months"
    ExpiresByType image/svg+xml             "access plus 6 months"
    ExpiresByType image/x-icon              "access plus 1 year"

    # Fonts
    ExpiresByType font/ttf                  "access plus 1 year"
    ExpiresByType font/otf                  "access plus 1 year"
    ExpiresByType font/woff                 "access plus 1 year"
    ExpiresByType font/woff2                "access plus 1 year"
    ExpiresByType application/font-woff     "access plus 1 year"
    ExpiresByType application/font-woff2    "access plus 1 year"
</IfModule>

# ── Cache-Control headers for static assets ───────────────────────────────────
<IfModule mod_headers.c>
    <FilesMatch "\.(css|js|woff|woff2|ttf|otf|eot)$">
        Header set Cache-Control "public, max-age=31536000, immutable"
    </FilesMatch>
    <FilesMatch "\.(jpg|jpeg|png|gif|webp|svg|ico)$">
        Header set Cache-Control "public, max-age=15552000"
    </FilesMatch>
    <FilesMatch "\.html$">
        Header set Cache-Control "no-cache, no-store, must-revalidate"
    </FilesMatch>
</IfModule>

# ── Disable ETags (reduces header overhead) ───────────────────────────────────
<IfModule mod_headers.c>
    Header unset ETag
</IfModule>
FileETag None

# ── PHP settings (cPanel shared hosting) ─────────────────────────────────────
<IfModule mod_php.c>
    php_flag display_errors Off
    php_flag log_errors On
    php_value max_execution_time 60
    php_value memory_limit 256M
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
</IfModule>
