RewriteEngine On

# Clean URLs - Remove .php extension
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^\.]+)$ $1.php [NC,L]

# Redirect .php extension to clean URL
RewriteCond %{THE_REQUEST} /([^.]+)\.php [NC]
RewriteRule ^ /%1 [NC,L,R=301]

# Security Headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"

# Handle CORS preflight requests (restrict to specific domains in production)
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
Header always set Access-Control-Max-Age "3600"

# Handle preflight requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

# Prevent directory browsing
Options -Indexes

# Deny access to sensitive files and directories
<Files "config.php">
    Require all denied
</Files>

<Files ".htaccess">
    Require all denied
</Files>

<Files ".env">
    Require all denied
</Files>

# Deny access to backup and temporary files
<FilesMatch "\.(bak|backup|old|tmp|temp|log|sql|txt)$">
    Require all denied
</FilesMatch>

# Deny access to hidden files and directories
<FilesMatch "^\.">
    Require all denied
</FilesMatch>

# Prevent access to include/config directories
<DirectoryMatch "(includes?|configs?|private|secure)">
    Require all denied
</DirectoryMatch>

# Set proper content type for PHP files
<FilesMatch "\.php$">
    ForceType application/x-httpd-php
</FilesMatch>

# Prevent direct access to service files
<Files "EmailService.php">
    Require all denied
</Files>

<Files "ReceiptService.php">
    Require all denied
</Files>

# Rate limiting (if mod_evasive is available)
# <IfModule mod_evasive24.c>
#     DOSHashTableSize    2048
#     DOSPageCount        10
#     DOSPageInterval     1
#     DOSSiteCount        50
#     DOSSiteInterval     1
#     DOSBlockingPeriod   600
# </IfModule>
