# CDVectors .htaccess Configuration
# ===================================
# Security, URL Rewriting, and Performance

# Enable mod_rewrite
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /

    # Remove www from URL (optional - adjust based on preference)
    # RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    # RewriteRule ^(.*)$ http://%1/$1 [R=301,L]

    # Prevent direct access to includes folder
    RewriteRule ^includes/ - [F]
    RewriteRule ^api/ - [F]
    RewriteRule ^admin/ - [F]

    # Remove .php extension from URLs
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^products/([a-zA-Z0-9-]+)/?$ /product-detail.php?id=$1 [QSA,L]
    RewriteRule ^category/([a-zA-Z0-9-]+)/?$ /products.php?category=$1 [QSA,L]
    RewriteRule ^order/([a-zA-Z0-9-]+)/?$ /order-detail.php?code=$1 [QSA,L]
</IfModule>

# ===================================
# SECURITY HEADERS
# ===================================

<IfModule mod_headers.c>
    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"
    
    # Prevent clickjacking attacks
    Header always set X-Frame-Options "DENY"
    
    # Enable XSS protection
    Header always set X-XSS-Protection "1; mode=block"
    
    # HSTS (HTTP Strict Transport Security)
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    
    # Content Security Policy (adjust as needed)
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://api.paddle.com;"
    
    # Remove Server header (security)
    Header always unset Server
</IfModule>

# ===================================
# COMPRESSION (Performance)
# ===================================

<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE text/javascript
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
    
    # Don't compress images (already compressed)
    SetEnvIfNoCase Request_URI \
        \.(?:gif|jpe?g|png|zip|exe|flv|mov)$ no-gzip dont-vary
</IfModule>

# ===================================
# CACHING (Performance)
# ===================================

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access plus 2 days"

    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType text/javascript "access plus 1 year"

    # Images
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresByType image/vnd.microsoft.icon "access plus 1 year"

    # Fonts
    ExpiresByType font/ttf "access plus 1 year"
    ExpiresByType font/otf "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType application/font-woff "access plus 1 year"

    # HTML and PHP
    ExpiresByType text/html "access plus 0 seconds"
    ExpiresByType application/php "access plus 0 seconds"

    # Default
    ExpiresByType application/octet-stream "access plus 0 seconds"
</IfModule>

# ===================================
# BLOCK MALICIOUS ACCESS
# ===================================

# Block access to sensitive files
<FilesMatch "\.(ini|log|env|sql)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>

# Block access to common vulnerable files
<FilesMatch "(^\#.*#|\.~|wp-config\.php|web\.config|php\.ini|\.htaccess)">
    <IfModule mod_authz_core.c>
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order Allow,Deny
        Deny from all
    </IfModule>
</FilesMatch>

# ===================================
# PREVENT DIRECTORY LISTING
# ===================================

Options -Indexes

# ===================================
# UTF-8 ENCODING
# ===================================

AddDefaultCharset UTF-8
AddType application/json .json

# ===================================
# ERROR PAGES (Optional)
# ===================================

# ErrorDocument 403 /errors/403.php
# ErrorDocument 404 /errors/404.php
# ErrorDocument 500 /errors/500.php

# ===================================
# END OF .HTACCESS
# ===================================
