# Runway Gen4 Web App - Production .htaccess Configuration

# Security Headers
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
</IfModule>

# Hide sensitive files and directories
<Files ".env">
    Order allow,deny
    Deny from all
</Files>

<Files "*.log">
    Order allow,deny
    Deny from all
</Files>

<FilesMatch "^(\.env|\.htaccess|composer\.(json|lock)|package\.json|tailwind\.config\.js|INSTALLATION\.md)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block access to source directories
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Block direct access to backend directory
    RewriteRule ^backend/ - [F,L]
    
    # Block access to src directory (Tailwind source files)
    RewriteRule ^src/ - [F,L]
    
    # Block access to node_modules if present
    RewriteRule ^node_modules/ - [F,L]
</IfModule>

# Enable HTTPS redirect (recommended for production)
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

# Main application routing
<IfModule mod_rewrite.c>
    RewriteEngine On
    
    # Serve main page
    RewriteRule ^$ /public/index.html [L]
    RewriteRule ^index\.html$ /public/index.html [L]
    
    # Allow direct access to public assets
    RewriteRule ^(css|js)/(.*)$ /public/$1/$2 [L]
    
    # API routing for cleaner URLs
    RewriteRule ^api/generate$ /backend/api.php [L]
    RewriteRule ^api/status$ /backend/check_status.php [L]
    
    # Deny access to hidden files
    RewriteRule ^\..*$ - [F,L]
</IfModule>

# Enable Gzip compression for better performance
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
</IfModule>

# Browser Caching for static assets
<IfModule mod_expires.c>
    ExpiresActive on
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType application/javascript "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType application/font-woff "access plus 1 year"
    ExpiresByType application/font-woff2 "access plus 1 year"
</IfModule>

# Prevent access to backup files
<FilesMatch "\.(bak|backup|old|orig|save|tmp)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Limit file upload size (adjust as needed)
<IfModule mod_php.c>
    php_value upload_max_filesize 10M
    php_value post_max_size 12M
    php_value max_input_time 300
    php_value max_execution_time 300
</IfModule>