# ============================================
# NEXUS — .htaccess Security & Config
# Place this in your webroot (public_html/)
# ============================================

# ── Block directory listings ─────────────────
Options -Indexes

# ── Block access to sensitive files ──────────
<FilesMatch "\.(env|sql|log|sh|bak|json|md|ini|cfg)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Block debug/test scripts ──────────────────
<FilesMatch "^(test|debug|info|phpinfo|install|setup)\.(php|html)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Block access to hidden files (.htpasswd etc) ──
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# ── Prevent script injection in query strings ─
RewriteEngine On

# ── CRITICAL: Pass Authorization header to PHP ───────────────
# Apache on shared hosting strips the Authorization header by default.
# These rules ensure PHP receives it via HTTP_AUTHORIZATION or
# REDIRECT_HTTP_AUTHORIZATION in $_SERVER.
RewriteCond %{HTTP:Authorization} .+
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [E=HTTP_AUTHORIZATION:%1]
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [E=HTTP_AUTH_HEADER:%1]

# ── Block common attack patterns in URLs ─────
RewriteCond %{REQUEST_URI} \.(bash|git|svn|htpasswd|htaccess)$ [NC]
RewriteRule .* - [F,L]

# ── Redirect HTTP to HTTPS ────────────────────
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# ── Security headers ──────────────────────────
<IfModule mod_headers.c>
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "strict-origin-when-cross-origin"
    Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# ── PHP hardening (shared hosting) ───────────
<IfModule mod_php.c>
    php_flag display_errors Off
    php_flag expose_php Off
    php_value session.cookie_httponly 1
    php_value session.cookie_samesite Strict
    php_flag session.use_strict_mode On
</IfModule>

# ── Cache static assets ───────────────────────
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType text/css             "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
    ExpiresByType image/png            "access plus 1 month"
    ExpiresByType image/jpeg           "access plus 1 month"
    ExpiresByType image/webp           "access plus 1 month"
    ExpiresByType image/svg+xml        "access plus 1 month"
    ExpiresByType image/x-icon         "access plus 1 year"
</IfModule>

# ── Compress text assets ──────────────────────
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/css application/javascript text/plain
</IfModule>