# ================================================================================
# Security Headers Configuration for Apache
# ================================================================================
# Add these lines to your .htaccess file to enhance security
# Make sure mod_headers is enabled: sudo a2enmod headers && systemctl restart apache2
# ================================================================================

<IfModule mod_headers.c>
    # ============== Security Headers ==============

    # Prevent clickjacking attacks
    Header always set X-Frame-Options "DENY"

    # Prevent MIME type sniffing
    Header always set X-Content-Type-Options "nosniff"

    # Enable XSS protection
    Header always set X-XSS-Protection "1; mode=block"

    # Enforce HTTPS (uncomment if you have SSL)
    # Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

    # Content Security Policy
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com https://www.gstatic.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self';"

    # Referrer Policy
    Header always set Referrer-Policy "strict-origin-when-cross-origin"

    # Permissions Policy
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

    # Cross-Domain Policy
    Header always set X-Permitted-Cross-Domain-Policies "none"

    # Remove server version information
    Header unset X-Powered-By
    Header always unset X-Powered-By
</IfModule>

# ============== Hide PHP Version ==============
<IfModule mod_php7.c>
    php_flag expose_php off
</IfModule>

# ============== Disable Directory Browsing ==============
Options -Indexes

# ============== Protect Sensitive Files ==============
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect .env file
<Files .env>
    Order allow,deny
    Deny from all
</Files>

# Protect composer files
<FilesMatch "(composer\.(json|lock))">
    Order allow,deny
    Deny from all
</FilesMatch>

# Protect git files
<FilesMatch "^\.git">
    Order allow,deny
    Deny from all
</FilesMatch>

# ============== SQL Injection Protection ==============
<IfModule mod_rewrite.c>
    RewriteEngine On

    # Block suspicious query strings
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
    RewriteCond %{QUERY_STRING} (union|select|insert|drop|update|delete|exec|script|javascript|eval) [NC]
    RewriteRule ^(.*)$ - [F,L]

    # Block SQL injection attempts in URL
    RewriteCond %{REQUEST_URI} (;|<|>|'|"|\)|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{REQUEST_URI} (boot\.ini|etc/passwd|self/environ) [NC,OR]
    RewriteCond %{REQUEST_URI} (thumbs\.db|Thumbs\.db|\.DS_Store) [NC]
    RewriteRule ^(.*)$ - [F,L]
</IfModule>

# ============== XSS Protection ==============
<IfModule mod_rewrite.c>
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} javascript\: [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} (\.\./|\.\.\\) [NC]
    RewriteRule ^(.*)$ - [F,L]
</IfModule>

# ============== Rate Limiting (Basic) ==============
# Limit request rate to prevent brute force
<IfModule mod_evasive20.c>
    DOSHashTableSize 3097
    DOSPageCount 10
    DOSSiteCount 100
    DOSPageInterval 1
    DOSSiteInterval 1
    DOSBlockingPeriod 10
</IfModule>

# ============== MIME Type Settings ==============
<IfModule mod_mime.c>
    AddType application/javascript js
    AddType application/json json
    AddType text/css css
    AddType image/svg+xml svg
</IfModule>

# ============== Compression ==============
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# ============== Cache Control ==============
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/pdf "access plus 1 month"
    ExpiresByType text/javascript "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType application/x-shockwave-flash "access plus 1 month"
    ExpiresByType image/x-icon "access plus 1 year"
    ExpiresDefault "access plus 2 days"
</IfModule>

# ============== Prevent Hotlinking ==============
<IfModule mod_rewrite.c>
    RewriteEngine on
    # Uncomment and modify the next line to prevent image hotlinking
    # RewriteCond %{HTTP_REFERER} !^$
    # RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
    # RewriteRule \.(jpg|jpeg|png|gif|svg)$ - [F,NC]
</IfModule>

# ================================================================================
# END OF SECURITY CONFIGURATION
# ================================================================================