Options -Indexes
ServerSignature Off

# Explicitly tell Apache what to serve when a base URL is hit
DirectoryIndex index.php index.html

# ── Security Headers ──────────────────────────────────────────────────────────
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(self)"
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
  Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdnjs.cloudflare.com https://unpkg.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com https://unpkg.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data: blob: https://*.tile.openstreetmap.org https://www.gstatic.com https://api.qrserver.com https://upload.wikimedia.org; connect-src 'self' https://nominatim.openstreetmap.org; frame-ancestors 'self'"
</IfModule>

# ── Gzip Compression ─────────────────────────────────────────────────────────
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json image/svg+xml
</IfModule>

# ── Browser Caching ──────────────────────────────────────────────────────────
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpeg "access plus 1 month"
  ExpiresByType image/png "access plus 1 month"
  ExpiresByType image/webp "access plus 1 month"
  ExpiresByType image/svg+xml "access plus 1 month"
  ExpiresByType text/css "access plus 1 week"
  ExpiresByType application/javascript "access plus 1 week"
  ExpiresByType application/font-woff2 "access plus 1 year"
</IfModule>

# ── Block sensitive file access ───────────────────────────────────────────────
<FilesMatch "\.(sql|xml|log|sh|env|csv|db|sqlite|lock)$">
  Order allow,deny
  Deny from all
</FilesMatch>

<FilesMatch "^(users|staff|airlines|config|reports|audit)\.json$">
  Order allow,deny
  Deny from all
</FilesMatch>

# ── URL Rewriting ─────────────────────────────────────────────────────────────
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  
  # Forward HTTPS
  RewriteCond %{HTTPS} off
  RewriteCond %{HTTP:X-Forwarded-Proto} !https
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  
  # ── INDEX REDIRECT ──
  # Redirect any request for index.html or index.php to the root (/)
  # This avoids duplicate content and keeps the URL clean.
  RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s/+(.*)index\.(html|php) [NC]
  RewriteRule ^ /%1 [R=301,L]

  # ── STRIP EXTENSIONS ──
  # Externally redirect /file.php or /file.html to /file
  # Excludes 'index' and 'api' to prevent breaking root redirects or POST data.
  RewriteCond %{REQUEST_METHOD} !POST
  RewriteCond %{THE_REQUEST} ^[A-Z]{3,}\s/+(?!.*(?:index|api))(.*)\.(?:php|html)[\s?] [NC]
  RewriteRule ^ /%1 [R=301,L]

  # ── MAP CLEAN URLS ──
  # Internal mapping: check if file.php exists, then check if file.html exists
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME}.php -f
  RewriteRule ^(.*)$ $1.php [L]

  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME}.html -f
  RewriteRule ^(.*)$ $1.html [L]
</IfModule>

# ── Error Handling ────────────────────────────────────────────────────────────
# If a file or route is not found, redirect to the base URL
ErrorDocument 404 /index.php