# ============================================================
# EVOSYS POS — Apache Configuration
# ============================================================

# ── Core options ─────────────────────────────────────────────
Options All -Indexes -MultiViews +FollowSymLinks
AddDefaultCharset UTF-8
RewriteEngine On

# ============================================================
# 1. PROTECT SENSITIVE FILES
# ============================================================

# Block all dot-files (.env, .git, .htaccess itself, etc.)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Block direct access to project meta / config files
<FilesMatch "(composer\.(json|lock)|package(-lock)?\.json|php_error\.log|\.gitignore|\.gitattributes)$">
    Require all denied
</FilesMatch>

# ============================================================
# 2. SECURITY HEADERS
# ============================================================
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"
    # Prevent MIME-type sniffing
    Header always set X-Content-Type-Options "nosniff"
    # Basic XSS filter (legacy browsers)
    Header always set X-XSS-Protection "1; mode=block"
    # Control referrer information
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    # Strip server fingerprinting headers
    Header always unset X-Powered-By
    Header always unset Server
</IfModule>

# ============================================================
# 3. CANONICAL REDIRECT — HTTPS + non-www
# ============================================================

# Step 1: Strip www (runs before HTTPS check to avoid double redirect)
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

# Step 2: Force HTTPS — skipped on localhost / 127.0.0.1
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^(localhost|127\.0\.0\.1)(:\d+)?$ [NC]
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# ============================================================
# 4. BLOCK MALICIOUS QUERY STRINGS
# ============================================================
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E)            [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|%[0-9A-Z]{0,2})              [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|%[0-9A-Z]{0,2})             [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]*/\.\./                       [OR]
RewriteCond %{QUERY_STRING} (base64_encode|gzinflate)                 [NC,OR]
RewriteCond %{QUERY_STRING} (mosConfig|boot_path|ftp_user|etc/passwd) [NC]
RewriteRule ^ - [F,L]

# ============================================================
# 5. FRONT CONTROLLER ROUTING
# ============================================================
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-zA-Z0-9/_-]+)$ index.php?route=$1 [L,QSA]

# ============================================================
# 6. BROWSER CACHING
# ============================================================
<IfModule mod_expires.c>
    ExpiresActive On

    # HTML — always revalidate
    ExpiresByType text/html                      "access plus 0 seconds"
    # CSS / JS — long cache (use cache-busting query strings in code)
    ExpiresByType text/css                       "access plus 1 year"
    ExpiresByType application/javascript         "access plus 1 year"
    ExpiresByType text/javascript                "access plus 1 year"
    # Images
    ExpiresByType image/jpeg                     "access plus 1 year"
    ExpiresByType image/png                      "access plus 1 year"
    ExpiresByType image/gif                      "access plus 1 year"
    ExpiresByType image/webp                     "access plus 1 year"
    ExpiresByType image/svg+xml                  "access plus 1 year"
    ExpiresByType image/x-icon                   "access plus 1 year"
    # Fonts
    ExpiresByType font/woff                      "access plus 1 year"
    ExpiresByType font/woff2                     "access plus 1 year"
    ExpiresByType application/font-woff          "access plus 1 year"
    ExpiresByType application/font-woff2         "access plus 1 year"
    # JSON / XML data
    ExpiresByType application/json               "access plus 0 seconds"
    ExpiresByType application/xml                "access plus 0 seconds"
</IfModule>

# ============================================================
# 7. GZIP COMPRESSION
# ============================================================
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE application/json
    AddOutputFilterByType DEFLATE image/svg+xml
    AddOutputFilterByType DEFLATE application/font-woff
    AddOutputFilterByType DEFLATE application/font-woff2

    # Skip already-compressed binary formats
    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|webp|ico|gz|zip|bz2|rar|7z)$ no-gzip dont-vary
</IfModule>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php82” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php82 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
