# .htaccess - ROOT LEVEL (Apache DocumentRoot)
# ✅ IONOS COMPATIBLE + Security Enhanced
# ⚠️ All routing rules preserved!

# ============================================
# 1. SECURITY: Block Access to Sensitive Files
# ============================================
<FilesMatch "^\.env$">
    Order allow,deny
    Deny from all
</FilesMatch>

<FilesMatch "\.(md|sql|log|json|txt|bak|backup|old|config)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block .git, .svn, .htaccess, .htpasswd
<FilesMatch "^\.">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block suspicious files
<FilesMatch "(composer\.(json|lock)|package(-lock)?\.json|phpunit\.xml|\.ya?ml)$">
    Order allow,deny
    Deny from all
</FilesMatch>

# Block directory listings (if allowed by server)
<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

# ============================================
# 2. ENABLE MOD_REWRITE
# ============================================
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    
    # Force CSS/JS to be served as static files
    <FilesMatch "\.(css|js)$">
        SetHandler default-handler
    </FilesMatch>

    # ============================================
    # 3. BLOCK SUSPICIOUS REQUESTS (Security Enhancement)
    # ============================================
    # Block SQL injection attempts
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} (union.*select|select.*union) [NC,OR]
    RewriteCond %{QUERY_STRING} (drop.*table|insert.*into) [NC]
    RewriteRule .* - [F,L]
    
    # Block file injection attempts
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
    RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
    RewriteRule .* - [F,L]

    # ============================================
    # 4. SPECIAL FILES: Root Level Access
    # ============================================
    # sitemap.xml - Allow direct access to root file
    RewriteCond %{REQUEST_URI} ^/sitemap\.xml$
    RewriteCond %{DOCUMENT_ROOT}/sitemap.xml -f
    RewriteRule ^sitemap\.xml$ - [L]
    
    # robots.txt.php -> /robots.txt
    RewriteRule ^robots\.txt$ robots.txt.php [L]
    
    # install-cms.php (root level installer)
    RewriteRule ^install-cms\.php$ install-cms.php [L]

    # build-distribution.php (root level installer)
    RewriteRule ^build-distribution\.php$ build-distribution.php [L]
    
    # database-installer.php (root level)
    RewriteRule ^database-installer\.php$ database-installer.php [L]

    # Development/Testing files
    RewriteRule ^test\.php$ test.php [L]
    RewriteRule ^info\.php$ info.php [L]
    RewriteRule ^performance-test\.php$ performance-test.php [L]
    RewriteRule ^optimize-database\.php$ optimize-database.php [L]
    RewriteRule ^test-production\.php$ test-production.php [L]
    RewriteRule ^check-opcache\.php$ check-opcache.php [L]
    RewriteRule ^debug-security-upgrade\.php$ debug-security-upgrade.php [L]
    
    # ============================================
    # 5. CACHE: Direct access to cached assets
    # ============================================
    RewriteCond %{REQUEST_URI} ^/cache/
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^cache/(.+)$ cache/$1 [L]
    
    # ============================================
    # 6. MEDIA FILES: secure serving via media.php
    # ============================================
    RewriteCond %{REQUEST_URI} ^/media/
    RewriteRule ^media/(.+)$ cms-core/public/webview/media.php?file=$1 [L,QSA]

    # ============================================
    # 7. ASSETS: CSS & JS from webview/assets
    # ============================================
    RewriteCond %{REQUEST_URI} ^/assets/
    RewriteRule ^assets/(.+)$ cms-core/public/webview/assets/$1 [L]

    # ============================================
    # 8. CUSTOMIZATIONS: Custom Frontend Assets
    # ============================================
    RewriteCond %{REQUEST_URI} ^/customizations/
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteRule ^customizations/(.+)$ customizations/$1 [L]

    # ============================================
    # 9. ADMIN AREA: All admin requests go to webview
    # ============================================
    RewriteCond %{REQUEST_URI} ^/admin/
    RewriteRule ^admin/(.*)$ cms-core/public/webview/admin/$1 [L]

    # ============================================
    # 10. HOMEPAGE: EXPLICIT index.php routing
    # ============================================
    RewriteRule ^$ cms-core/public/webview/index.php [L]
    RewriteRule ^index\.php$ cms-core/public/webview/index.php [L]

    # ============================================
    # 11. BLOG ROUTING: Blog overview and posts
    # ============================================
    RewriteRule ^blog/?$ cms-core/public/webview/blog.php [L,QSA]
    RewriteRule ^blog/post/([a-z0-9-]+)/?$ cms-core/public/webview/blog-post.php?slug=$1 [L,QSA]

    # ============================================
    # 12. DYNAMIC PAGES: User-created pages via page.php
    # ============================================
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} !^/(admin|media|assets|customizations|cms-core|blog|cache)/
    RewriteCond %{REQUEST_URI} !^/(robots\.txt|sitemap\.xml|install-cms\.php|database-installer\.php)
    RewriteRule ^([a-z0-9-]+)/?$ cms-core/public/webview/page.php?slug=$1 [QSA,L]

    # ============================================
    # 13. FALLBACK 404
    # ============================================
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . cms-core/public/webview/404.php [L]
</IfModule>

# ============================================
# 14. ERROR DOCUMENTS
# ============================================
ErrorDocument 404 /cms-core/public/webview/404.php
ErrorDocument 403 /cms-core/public/webview/403.php
ErrorDocument 500 /cms-core/public/webview/500.php

# ============================================
# 15. SECURITY HEADERS (IONOS Compatible)
# ============================================
<IfModule mod_headers.c>
    # XSS Protection
    Header set X-XSS-Protection "1; mode=block"
    
    # Prevent Clickjacking
    Header set X-Frame-Options "SAMEORIGIN"
    
    # MIME-Type Sniffing Protection
    Header set X-Content-Type-Options "nosniff"
    
    # Referrer Policy
    Header set Referrer-Policy "strict-origin-when-cross-origin"
</IfModule>

# ============================================
# 16. COMPRESSION (IONOS Compatible)
# ============================================
<IfModule mod_deflate.c>
    AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/json
</IfModule>

# ============================================
# 17. BROWSER CACHING
# ============================================
<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType image/gif "access plus 1 year"
    ExpiresByType image/webp "access plus 1 year"
    ExpiresByType image/svg+xml "access plus 1 year"
    ExpiresByType text/css "access plus 1 month"
    ExpiresByType application/javascript "access plus 1 month"
</IfModule>