# Fon2Fix POS - .htaccess (Apache/LiteSpeed)
# v1.0 - deny sensitive files, gzip, cache, security headers, bot UA block.
# NOTE: Force-HTTPS block at bottom is COMMENTED OUT by default. Enable only
#       after confirming valid cert and no http:// cron jobs in cPanel.

# ------------------------------------------------------------------ #
# 1. DENY direct web access to sensitive server-side files
# ------------------------------------------------------------------ #
<FilesMatch "^(config\.php|config\.sample\.php|db\.php|helpers\.php|php\.ini|database_dump\.sql|debug_log\.txt|monitor_backup_status\.txt|\.htaccess|\.htpasswd)$">
    Require all denied
</FilesMatch>

# Deny entire backups/ and Archives-Executed/ from web
RedirectMatch 403 ^/?(backups|Archives-Executed)(/|$)

# Deny any .sql, .zip, .bak, .log files
<FilesMatch "\.(sql|zip|bak|log|env)$">
    Require all denied
</FilesMatch>

# Hide directory listings
Options -Indexes

# ------------------------------------------------------------------ #
# 2. Security headers (defence in depth; PHP also sends these)
# ------------------------------------------------------------------ #
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=(self)"
    Header unset X-Powered-By
    Header unset Server
</IfModule>

# ------------------------------------------------------------------ #
# 3. Bot / crawler block at the Apache layer
# ------------------------------------------------------------------ #
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} (googlebot|bingbot|slurp|duckduckbot|baiduspider|yandex|sogou|exabot|facebot|ia_archiver|crawler|spider|scrapy|libwww|wget) [NC]
    RewriteRule ^.* - [F,L]

    # Block empty user-agents on POST
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule ^.* - [F,L]
</IfModule>

# ------------------------------------------------------------------ #
# 4. Gzip compression
# ------------------------------------------------------------------ #
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/javascript application/json application/xml text/xml
</IfModule>

# ------------------------------------------------------------------ #
# 5. Browser caching for static assets
# ------------------------------------------------------------------ #
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/png         "access plus 30 days"
    ExpiresByType image/jpeg        "access plus 30 days"
    ExpiresByType image/svg+xml     "access plus 30 days"
    ExpiresByType text/css          "access plus 7 days"
    ExpiresByType application/javascript "access plus 7 days"
    ExpiresByType application/manifest+json "access plus 1 days"
</IfModule>

# ------------------------------------------------------------------ #
# 6. Force HTTPS  ---  DISABLED BY DEFAULT
#    Enable only after confirming: (a) cert is valid + auto-renew working,
#    (b) all cPanel cron entries hit https:// URLs.
# ------------------------------------------------------------------ #
# <IfModule mod_rewrite.c>
#     RewriteEngine On
#     RewriteCond %{HTTPS} off
#     RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# </IfModule>
