# ==============================================================================
# LUX STUDIO BACKEND - SECURITY CONFIGURATION
# ==============================================================================
# Location: /var/www/html/lux-studio/api/.htaccess
# Purpose: Prevent direct browser access, allow only API endpoints
# ==============================================================================

# ------------------------------------------------------------------------------
# DIRECTORY PROTECTION
# ------------------------------------------------------------------------------

# Disable directory browsing
Options -Indexes

# Disable server signature
ServerSignature Off

# ------------------------------------------------------------------------------
# BLOCK ROOT AND INDEX ACCESS
# ------------------------------------------------------------------------------

# Block access to index.php (prevents browsing backend UI)
<Files "index.php">
    Require all denied
</Files>

# Block access to test files
<FilesMatch "^(test|auth-test|server-check)\.php$">
    Require all denied
</FilesMatch>

# Block access to configuration files
<FilesMatch "^(config|config\.example)\.php$">
    Require all denied
</FilesMatch>

# ------------------------------------------------------------------------------
# API ENDPOINT ACCESS CONTROL
# ------------------------------------------------------------------------------

# Only allow POST requests to API endpoints
# GET is allowed only for stream_video.php (video streaming)

<FilesMatch "^(api|video_api|enhance_prompt|auth|webhook_logger)\.php$">
    <RequireAll>
        Require all granted
        <RequireAny>
            Require method POST OPTIONS
        </RequireAny>
    </RequireAll>
</FilesMatch>

# Allow GET and POST for video streaming
<Files "stream_video.php">
    Require all granted
</Files>

# Allow POST for cleanup and session management
<FilesMatch "^(cleanup|clear_session|session_manager)\.php$">
    <RequireAll>
        Require all granted
        Require method POST OPTIONS
    </RequireAll>
</FilesMatch>

# Allow get_config.php and get_logs.php for debugging (consider disabling in production)
<FilesMatch "^(get_config|get_logs|get_current_image)\.php$">
    Require all granted
</FilesMatch>

# ------------------------------------------------------------------------------
# PROTECT SENSITIVE FILES
# ------------------------------------------------------------------------------

# Deny access to environment files
<FilesMatch "^\.env">
    Require all denied
</FilesMatch>

# Deny access to backup and temporary files
<FilesMatch "\.(bak|backup|old|tmp|temp|swp|save|orig|dist|log|sql|sqlite|db)$">
    Require all denied
</FilesMatch>

# Deny access to version control
<FilesMatch "(^\.git|^\.svn|^\.hg|composer\.)">
    Require all denied
</FilesMatch>

# Deny access to class files (should only be included, not accessed directly)
<FilesMatch "^(AuthMiddleware|JWTValidator|SessionManager)\.php$">
    Require all denied
</FilesMatch>

# Deny access to .htaccess itself
<Files ".htaccess">
    Require all denied
</Files>

# ------------------------------------------------------------------------------
# UPLOADS DIRECTORY PROTECTION
# ------------------------------------------------------------------------------

# Block direct access to uploads directory (videos/images should be streamed via PHP)
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block direct access to uploads folder
    RewriteRule ^uploads/ - [F,L]
</IfModule>

# ------------------------------------------------------------------------------
# SECURITY HEADERS (if not set by Apache)
# ------------------------------------------------------------------------------

<IfModule mod_headers.c>
    # Prevent MIME type sniffing
    Header set X-Content-Type-Options "nosniff"

    # Prevent clickjacking
    Header set X-Frame-Options "DENY"

    # XSS Protection
    Header set X-XSS-Protection "1; mode=block"
</IfModule>

# ------------------------------------------------------------------------------
# ERROR HANDLING
# ------------------------------------------------------------------------------

# Return 403 Forbidden instead of showing file listings
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

# Custom error document (returns JSON for API errors)
ErrorDocument 403 "Forbidden: Direct access to backend is not allowed. Use API endpoints only."
ErrorDocument 404 "Not Found: API endpoint does not exist."

# ==============================================================================
# END OF CONFIGURATION
# ==============================================================================
