# ═══════════════════════════════════════════
# MFA Tools - Hostinger .htaccess
# SPA routing + Security headers + Performance caching
# ═══════════════════════════════════════════

# ─── Enable rewrite engine ───
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /

  # Don't rewrite files or directories that exist
  RewriteCond %{REQUEST_FILENAME} -f [OR]
  RewriteCond %{REQUEST_FILENAME} -d
  RewriteRule ^ - [L]

  # Redirect everything else to index.html
  RewriteRule ^ index.html [L]
</IfModule>

# ═══════════════════════════════════════════
# SECURITY HEADERS (C3 Fix)
# ═══════════════════════════════════════════
<IfModule mod_headers.c>
  # HSTS - Force HTTPS for 1 year
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  # Prevent clickjacking
  Header always set X-Frame-Options "SAMEORIGIN"

  # Prevent MIME-type sniffing
  Header always set X-Content-Type-Options "nosniff"

  # XSS Protection
  Header always set X-XSS-Protection "1; mode=block"

  # Referrer Policy
  Header always set Referrer-Policy "strict-origin-when-cross-origin"

  # Permissions Policy (disable unused browser features)
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(self), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()"

  # Content Security Policy (basic)
  Header always set Content-Security-Policy "upgrade-insecure-requests; default-src 'self'; script-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.tailwindcss.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https:; frame-ancestors 'none'; base-uri 'self'; form-action 'self';"

  # Remove server info
  Header always unset X-Powered-By
  Header always unset Server
</IfModule>

# ═══════════════════════════════════════════
# COMPRESSION (Performance Fix)
# ═══════════════════════════════════════════
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
  AddOutputFilterByType DEFLATE application/javascript application/json
  AddOutputFilterByType DEFLATE application/xml application/xhtml+xml
  AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>

<IfModule mod_brotli.c>
  AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css
  AddOutputFilterByType BROTLI_COMPRESS application/javascript application/json
  AddOutputFilterByType BROTLI_COMPRESS application/xml application/xhtml+xml
  AddOutputFilterByType BROTLI_COMPRESS image/svg+xml
</IfModule>

# ═══════════════════════════════════════════
# CACHING STRATEGY (C1/C2 Fix)
# ═══════════════════════════════════════════

# HTML pages - cache for 1 hour (not no-cache!)
<FilesMatch "\.html$">
  Header set Cache-Control "public, max-age=3600, must-revalidate"
</FilesMatch>

# Static assets with hash in filename - cache for 1 year (immutable)
<FilesMatch "\.[a-f0-9]{8,}\.(js|css)$">
  Header set Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>

# Regular JS/CSS - cache for 1 week
<FilesMatch "\.(js|css)$">
  Header set Cache-Control "public, max-age=604800"
</FilesMatch>

# Images - cache for 30 days
<FilesMatch "\.(png|jpg|jpeg|gif|ico|svg|webp|avif)$">
  Header set Cache-Control "public, max-age=2592000"
</FilesMatch>

# Fonts - cache for 1 year
<FilesMatch "\.(woff|woff2|ttf|eot|otf)$">
  Header set Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>

# XML sitemaps - cache for 1 day
# robots.txt - cache for 1 day
# ═══════════════════════════════════════════
# FILE UPLOAD LIMITS
# ═══════════════════════════════════════════
php_value upload_max_filesize 64M
php_value post_max_size 64M
php_value max_execution_time 300
php_value max_input_time 300

# XML content types for sitemaps
AddType application/xml .xml
AddType application/xml .xhtml

# Force UTF-8 for XML sitemaps

# ═══════════════════════════════════════════
# AGGRESSIVE CACHE BUSTING
# ═══════════════════════════════════════════

# NEVER cache HTML
<FilesMatch "\.html$">
  Header always set Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0"
  Header always set Pragma "no-cache"
  Header always set Expires "0"
</FilesMatch>

# NEVER cache JSON/JS data files
<FilesMatch "(products\.json|admin-config\.js|data-.*\.js)$">
  Header always set Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
</FilesMatch>

# Hash-busted CSS/JS = cache forever (immutable)
<FilesMatch "-[a-f0-9]{8,}\.(css|js)$">
  Header always set Cache-Control "public, max-age=31536000, immutable"
</FilesMatch>

# Regular CSS/JS with query string = short cache
<FilesMatch "\.(css|js)$">
  Header always set Cache-Control "public, must-revalidate, max-age=3600"
</FilesMatch>

# Images = 30 days
<FilesMatch "\.(png|jpg|jpeg|gif|ico|svg|webp|avif)$">
  Header always set Cache-Control "public, max-age=2592000"
</FilesMatch>

# Sitemaps/RSS = 1 hour
<FilesMatch "(sitemap.*\.xml|rss\.xml|atom\.xml)$">
  Header always set Cache-Control "public, max-age=3600"
  Header always set Content-Type "application/xml; charset=utf-8"
</FilesMatch>

# ETags disabled for dynamic content
Header always unset ETag
FileETag None
