# ═══════════════════════════════════════════
# MFA Tools - Hostinger .htaccess
# SPA routing + Security headers + Performance caching
# ═══════════════════════════════════════════

# ─── Enable rewrite engine ───
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

  # Don't rewrite files or directories that exist
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]

  # Redirect everything else to index.html
  RewriteRule ^ index.html [L]
</IfModule>

# ═══════════════════════════════════════════
# SECURITY HEADERS (C3 Fix)
# ═══════════════════════════════════════════
<IfModule mod_headers.c>
  # HSTS - Force HTTPS for 1 year
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  # Prevent clickjacking
  Header always set X-Frame-Options "SAMEORIGIN"

  # Prevent MIME-type sniffing
  Header always set X-Content-Type-Options "nosniff"

  # XSS Protection
  Header always set X-XSS-Protection "1; mode=block"

  # Referrer Policy
  Header always set Referrer-Policy "strict-origin-when-cross-origin"

  # Permissions Policy (disable unused browser features)
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(self), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"

  # Content Security Policy (basic)
  Header always set Content-Security-Policy "upgrade-insecure-requests; default-src 'self'; script-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"

  # Remove server info
  Header always unset X-Powered-By
  Header always unset Server
</IfModule>

# ═══════════════════════════════════════════
# COMPRESSION (Performance Fix)
# ═══════════════════════════════════════════
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
  AddOutputFilterByType DEFLATE application/javascript application/json
  AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
  AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

<IfModule mod_brotli.c>
  AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css
  AddOutputFilterByType BROTLI_COMPRESS application/javascript application/json
  AddOutputFilterByType BROTLI_COMPRESS application/xml application/xhtml+xml
  AddOutputFilterByType BROTLI_COMPRESS image/svg+xml
</IfModule>

# ═══════════════════════════════════════════
# CACHING STRATEGY (C1/C2 Fix)
# ═══════════════════════════════════════════

# HTML pages - cache for 1 hour (not no-cache!)
<FilesMatch "\.html$">
  Header set Cache-Control "public, max-age=3600, must-revalidate"
</FilesMatch>

# Static assets with hash in filename - cache for 1 year (immutable)
<FilesMatch "\.[a-f0-9]{8,}\.(js|css)$">
  Header set Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>

# Regular JS/CSS - cache for 1 week
<FilesMatch "\.(js|css)$">
  Header set Cache-Control "public, max-age=604800"
</FilesMatch>

# Images - cache for 30 days
<FilesMatch "\.(png|jpg|jpeg|gif|ico|svg|webp|avif)$">
  Header set Cache-Control "public, max-age=2592000"
</FilesMatch>

# Fonts - cache for 1 year
<FilesMatch "\.(woff|woff2|ttf|eot|otf)$">
  Header set Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>

# XML sitemaps - cache for 1 day
<FilesMatch "sitemap.*\.xml$">
  Header set Cache-Control "public, max-age=86400"
</FilesMatch>

# robots.txt - cache for 1 day
<FilesMatch "robots\.txt$">
  Header set Cache-Control "public, max-age=86400"
</FilesMatch>

# ═══════════════════════════════════════════
# FILE UPLOAD LIMITS
# ═══════════════════════════════════════════
php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300