# VEO3 Report System - Apache Configuration

# Enable PHP
AddHandler application/x-httpd-php .php

# Disable directory browsing
Options -Indexes

# Force HTTPS in production (uncomment for production)
# RewriteEngine On
# RewriteCond %{HTTPS} off
# RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# Security Headers
<IfModule mod_headers.c>
    # Prevent clickjacking
    Header always set X-Frame-Options "SAMEORIGIN"

    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"

    # XSS Protection
    Header always set X-XSS-Protection "1; mode=block"

    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Content Security Policy (adjust as needed)
    Header always set Content-Security-Policy "default-src 'self' https://alcdn.msauth.net https://login.microsoftonline.com https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' https://alcdn.msauth.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com;"
</IfModule>

# Protect sensitive files
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

<Files ".env">
    Require all denied
</Files>

<Files ".env.example">
    Require all denied
</Files>

<Files "composer.json">
    Require all denied
</Files>

<Files "composer.lock">
    Require all denied
</Files>

<Files "config.php">
    Require all denied
</Files>

<Files "env_loader.php">
    Require all denied
</Files>

<Files "*.md">
    Require all denied
</Files>

# Protect Python files
<FilesMatch "\.(py|pyc|sh)$">
    Require all denied
</FilesMatch>

# Protect log files
<FilesMatch "\.(log|txt)$">
    Require all denied
</FilesMatch>

# Deny access to vendor directory
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^vendor(/.*)?$ - [F,L]
</IfModule>

# Deny access to logs directory
<IfModule mod_rewrite.c>
    RewriteRule ^logs(/.*)?$ - [F,L]
</IfModule>

# Deny access to data files
<Files "webhook_response.json">
    Require all denied
</Files>

<Files "email_report.html">
    Require all denied
</Files>

# Set default charset
AddDefaultCharset UTF-8

# Error documents (optional - customize as needed)
# ErrorDocument 404 /404.php
# ErrorDocument 500 /500.php

# PHP settings
<IfModule mod_php7.c>
    # Session settings
    php_value session.gc_maxlifetime 3600
    php_value session.cookie_lifetime 3600
    php_value session.cookie_httponly 1
    php_value session.cookie_secure 1
    php_value session.cookie_samesite "Lax"

    # Upload limits (adjust as needed)
    php_value upload_max_filesize 10M
    php_value post_max_size 10M

    # Memory limit
    php_value memory_limit 256M

    # Execution time
    php_value max_execution_time 300

    # Error reporting (disable display_errors in production)
    php_flag display_errors Off
    php_flag log_errors On
</IfModule>

# Compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# Caching
<IfModule mod_expires.c>
    ExpiresActive On

    # Images
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType image/gif "access plus 1 month"
    ExpiresByType image/svg+xml "access plus 1 month"

    # CSS and JavaScript
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"

    # Fonts
    ExpiresByType font/woff2 "access plus 1 year"
    ExpiresByType font/woff "access plus 1 year"

    # Default
    ExpiresDefault "access plus 1 day"
</IfModule>

# Prevent access to Git files
<FilesMatch "^\.git">
    Require all denied
</FilesMatch>

# Block common exploit attempts
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block SQL injection attempts
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ - [F,L]

    # Block file injection attempts
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
    RewriteRule ^(.*)$ - [F,L]
</IfModule>
