# Piano Inventory Management System - .htaccess Configuration
# For cPanel CloudLinux LiteSpeed Server

# ========================================
# FORCE HTTPS REDIRECTION
# ========================================
RewriteEngine On

# Force HTTPS for all requests
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ========================================
# SECURITY HEADERS
# ========================================
# Prevent clickjacking
Header always append X-Frame-Options SAMEORIGIN

# Prevent MIME type sniffing
Header always set X-Content-Type-Options nosniff

# Enable XSS protection
Header always set X-XSS-Protection "1; mode=block"

# Referrer Policy
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Content Security Policy (CSP)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' https:; frame-ancestors 'self';"

# ========================================
# CACHE CONTROL
# ========================================
# Cache static assets
<FilesMatch "\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$">
    ExpiresActive On
    ExpiresDefault "access plus 1 month"
    Header set Cache-Control "public, immutable"
</FilesMatch>

# Cache HTML files for a shorter period
<FilesMatch "\.(html|htm)$">
    ExpiresActive On
    ExpiresDefault "access plus 1 hour"
    Header set Cache-Control "public, must-revalidate"
</FilesMatch>

# No cache for config files
<FilesMatch "\.(js|json)$">
    <If "%{REQUEST_URI} =~ m#config\.js#">
        Header set Cache-Control "no-cache, no-store, must-revalidate"
        Header set Pragma "no-cache"
        Header set Expires "0"
    </If>
</FilesMatch>

# ========================================
# COMPRESSION
# ========================================
# Enable GZIP compression
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/plain
    AddOutputFilterByType DEFLATE text/html
    AddOutputFilterByType DEFLATE text/xml
    AddOutputFilterByType DEFLATE text/css
    AddOutputFilterByType DEFLATE application/xml
    AddOutputFilterByType DEFLATE application/xhtml+xml
    AddOutputFilterByType DEFLATE application/rss+xml
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE application/x-javascript
    AddOutputFilterByType DEFLATE application/json
</IfModule>

# ========================================
# FILE PROTECTION
# ========================================
# Protect sensitive files
<Files "config.js">
    Order allow,deny
    Deny from all
</Files>

<Files ".htaccess">
    Order allow,deny
    Deny from all
</Files>

<Files "*.log">
    Order allow,deny
    Deny from all
</Files>

# ========================================
# ERROR PAGES
# ========================================
# Custom error pages (optional - create these files if needed)
# ErrorDocument 404 /404.html
# ErrorDocument 500 /500.html

# ========================================
# PERFORMANCE OPTIMIZATIONS
# ========================================
# Enable Keep-Alive
<IfModule mod_headers.c>
    Header set Connection keep-alive
</IfModule>

# ========================================
# LITESPEED SPECIFIC
# ========================================
# LiteSpeed Cache Control
<IfModule LiteSpeed>
    RewriteEngine On
    RewriteRule .* - [E=noabort:1]
    RewriteRule .* - [E=noconntimeout:1]
</IfModule>

# ========================================
# CLOUDLINUX SPECIFIC
# ========================================
# CloudLinux resource limits (if needed)
# These are typically handled by the hosting provider
# <IfModule mod_ruid2.c>
#     RMode config
#     RUidGid yourusername yourgroup
# </IfModule>

# ========================================
# ADDITIONAL SECURITY
# ========================================
# Block access to hidden files and directories
<IfModule mod_rewrite.c>
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^\.|/\.)" - [F]
</IfModule>

# Block access to backup and source files
<FilesMatch "\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist|old|orig|save|swo|~)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ========================================
# CORS HEADERS (if needed for API calls)
# ========================================
# Uncomment if you need CORS for external API calls
# Header always set Access-Control-Allow-Origin "*"
# Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
# Header always set Access-Control-Allow-Headers "Content-Type, Authorization"

# ========================================
# RATE LIMITING (if mod_ratelimit is available)
# ========================================
# Uncomment if you want to implement rate limiting
# <IfModule mod_ratelimit.c>
#     <Location />
#         SetOutputFilter RATE_LIMIT
#         SetEnv rate-limit 400
#     </Location>
# </IfModule>

# ========================================
# MAINTENANCE MODE (uncomment when needed)
# ========================================
# RewriteEngine On
# RewriteCond %{REMOTE_ADDR} !^YOUR_IP_ADDRESS$
# RewriteRule .* /maintenance.html [R=302,L]

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php81” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php81 .php .php8 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
