# NV ETOS Workspace — public/ (web root) Apache configuration
#
# The document root of your domain/subdomain must point at THIS folder.
# Application code, config, database scripts and uploads all live OUTSIDE this
# folder (one level up) and are therefore unreachable over HTTP.

Options -Indexes
DirectoryIndex index.php

# ----------------------------------------------------------------------
# Force HTTPS (uncomment after AutoSSL / your certificate is active)
# ----------------------------------------------------------------------
# <IfModule mod_rewrite.c>
#     RewriteEngine On
#     RewriteCond %{HTTPS} off
#     RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# </IfModule>

# ----------------------------------------------------------------------
# Front-controller routing: send everything that is not a real file or
# directory to index.php.
# ----------------------------------------------------------------------
<IfModule mod_rewrite.c>
    RewriteEngine On

    # If the app is served from a sub-folder instead of a (sub)domain root,
    # uncomment and set this to match (and set app.base_url in config/app.php):
    # RewriteBase /workspace

    # Pass the Authorization header through (some shared hosts strip it)
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^ index.php [L]
</IfModule>

# ----------------------------------------------------------------------
# Security headers
# ----------------------------------------------------------------------
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Permissions-Policy "geolocation=(self), camera=(), microphone=()"
    # Enable HSTS once HTTPS is confirmed working:
    # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

# Deny dotfiles (.env, .git, .htaccess, etc.)
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# ----------------------------------------------------------------------
# Compression & caching
# ----------------------------------------------------------------------
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript application/json image/svg+xml
</IfModule>
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType image/png "access plus 30 days"
    ExpiresByType image/svg+xml "access plus 30 days"
</IfModule>
