# ==============================================================================
# VIDEO OPTIMIZER - FRONTEND SECURITY CONFIGURATION
# ==============================================================================
# Location: /var/www/html/lux-studio/.htaccess
# Purpose: Security hardening for frontend static files
# ==============================================================================

# ------------------------------------------------------------------------------
# DIRECTORY PROTECTION
# ------------------------------------------------------------------------------

# Disable directory browsing
Options -Indexes

# Follow symbolic links (required for some servers)
Options +FollowSymLinks

# Disable server signature
ServerSignature Off

# ------------------------------------------------------------------------------
# FILE ACCESS CONTROL
# ------------------------------------------------------------------------------

# Default: Allow access to all files (will be restricted below)
<FilesMatch ".*">
    Require all granted
</FilesMatch>

# Deny access to sensitive files and patterns
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Deny access to backup and temporary files
<FilesMatch "\.(bak|backup|old|tmp|temp|swp|save|orig|dist|log|sql|sqlite|db)$">
    Require all denied
</FilesMatch>

# Deny access to version control files
<FilesMatch "(^\.git|^\.svn|^\.hg|^\.bzr)">
    Require all denied
</FilesMatch>

# Deny access to environment and configuration files
<FilesMatch "^(\.env|\.env\.|config\.json|package\.json|package-lock\.json|composer\.json|composer\.lock)">
    Require all denied
</FilesMatch>

# Deny access to PHP files (if any exist - security measure)
<FilesMatch "\.php$">
    Require all denied
</FilesMatch>

# Deny access to Python files (should not be in frontend)
<FilesMatch "\.py$">
    Require all denied
</FilesMatch>

# Deny access to README and documentation that shouldn't be public
<FilesMatch "^(README|INSTALL|CHANGELOG|LICENSE|CONTRIBUTING)">
    Require all denied
</FilesMatch>

# ------------------------------------------------------------------------------
# ALLOWED FILE TYPES (Explicitly allow necessary files)
# ------------------------------------------------------------------------------

# Allow HTML files (main application pages)
<FilesMatch "\.(html|htm)$">
    Require all granted
</FilesMatch>

# Allow JavaScript files
<FilesMatch "\.(js|mjs)$">
    Require all granted
</FilesMatch>

# Allow CSS files
<FilesMatch "\.css$">
    Require all granted
</FilesMatch>

# Allow images
<FilesMatch "\.(jpg|jpeg|png|gif|ico|svg|webp)$">
    Require all granted
</FilesMatch>

# Allow fonts
<FilesMatch "\.(woff|woff2|ttf|otf|eot)$">
    Require all granted
</FilesMatch>

# Allow JSON files (only if needed for app functionality)
<FilesMatch "\.json$">
    Require all denied
</FilesMatch>

# ------------------------------------------------------------------------------
# ERROR DOCUMENTS
# ------------------------------------------------------------------------------

# Custom error pages (optional - create these files if needed)
# ErrorDocument 403 /video-optimizer/error/403.html
# ErrorDocument 404 /video-optimizer/error/404.html
# ErrorDocument 500 /video-optimizer/error/500.html

# ------------------------------------------------------------------------------
# ADDITIONAL SECURITY
# ------------------------------------------------------------------------------

# Prevent access to .htaccess itself
<Files ".htaccess">
    Require all denied
</Files>


# ==============================================================================
# END OF CONFIGURATION
# ==============================================================================
